--- name: oh-my-audit-free-self-check description: Free self-check checklist for vibe-coded web apps before launch. Use it to review common auth, admin, payment, webhook, secret, upload, data boundary, and abuse risks. --- # Oh My Audit Free Self-Check Use this as a quick first pass before launch. It does not replace a full audit and does not provide a Reviewed Badge. ## How to use Review the project routes, API handlers, middleware, server actions, payment/webhook code, storage settings, and deployment configuration. For each item, answer: - Pass: evidence exists in server-side code or production configuration. - Unsure: you cannot prove it from code. - Fail: missing, client-only, or easy to bypass. If any item is `Unsure` or `Fail` and the app handles users, payments, uploads, or paid features, consider a paid Oh My Audit review before launch. ## Checklist 1. Auth boundary - Are login-required pages and APIs protected on the server, not only hidden in the UI? 2. Admin access - Do `/admin` routes and admin APIs enforce role checks on the server? 3. User data ownership - Can a user change `userId`, `orgId`, `tenantId`, or URL params to access another user's data? 4. Payments - Does the server verify product ID, price, order status, and idempotency instead of trusting client values? 5. Webhooks - Are webhook signatures verified with the raw request body, and are duplicate events handled safely? 6. Secrets - Are private keys, service role keys, and `.env` values excluded from the client bundle, logs, and repository? 7. File uploads - Are upload type, size, filename, storage path, and public access restricted? 8. Server-side validation - Are form and API payloads validated server-side, including role, status, price, and plan fields? 9. Rate limits and abuse - Are login, signup, email, payment, password reset, and AI-cost endpoints protected from repeated calls? 10. Production config - Are debug output, stack traces, broad CORS, insecure cookies, and preview URLs controlled in production? ## Upgrade triggers Request a paid audit when the app has any of these: - Payments, subscriptions, credits, coupons, or paid features - Admin dashboard or role-based access - Personal data or user-generated content - File uploads - AI API calls with usage cost - Launch deadline or investor/customer demo Free self-checks are only a first pass. Paid audits include risk ranking, fix guidance, and reviewed badge eligibility when conditions are met.