← All posts
Checklist

5 Checks Before Product Hunt

·6 min read

A Product Hunt launch does two things at once: it sends you real traffic, and it sends you *curious* traffic. Some of those visitors will open the browser console. That's not a reason to panic — it's a reason to spend one afternoon on five checks before the link goes out.

1. Database rules (the big one)

If you use Supabase or Firebase, this is the check that matters most. Independent reviews in early 2026 found the large majority of vibe-coded apps shipped with Row Level Security effectively disabled — meaning anyone with your public anon key could read or change any row directly, no login required. The CVE-2025-48757 disclosure showed exactly this pattern across 170+ live apps.

Fix: enable RLS on every table and write a policy that actually scopes rows to the current user. A policy of USING (true) is the same as no policy at all.

alter table public.notes enable row level security;

create policy "owner can read own notes"
  on public.notes for select
  using ( (select auth.uid()) = user_id );

2. Secrets in the client bundle

Anything prefixed NEXT_PUBLIC_ (or imported into client code) is shipped to every visitor. The classic mistake is putting a Supabase service_role key or a server API key there — the service role bypasses all your RLS rules by design.

  • Open your deployed site, view source / open the JS bundle, and search for service_role, sk_, and secret.
  • Keep server-only keys in server environment variables, never NEXT_PUBLIC_*.
  • Rotate any key that has ever been pasted into a chat, a screenshot, or a public repo.

3. Security headers

Default deployments often ship without HSTS, a content security policy, or clickjacking protection. These don't change how your app looks — they just close easy gaps. On Next.js you set them in next.config.js; on Cloudflare, HSTS is a single toggle.

4. Email spoofing (SPF / DKIM / DMARC)

If your domain can send email, make sure someone *else* can't send email pretending to be you. Three DNS records — SPF, DKIM, and DMARC — handle this. It takes a few minutes and protects your brand and deliverability.

5. Origin IP exposure

If you put Cloudflare in front of your app for protection, but your real server IP is still discoverable (for example through old DNS records or certificate transparency logs), attackers can skip the protection entirely. A quick check confirms your origin actually sits behind the CDN.

Run all five in ~10 seconds

You can do these by hand, or paste your URL into LaunchPal and get all of them — plus a few more — in one Launch Readiness Score. Log in to download the AI Fix Pack (.md) with the exact fixes for your stack.

FAQ

Is it safe to scan a production site on launch day?

Yes — the passive checks only fetch public pages, a light touch. Deeper active checks only run after you verify you own the domain.

I'm not technical. Can I still fix these?

Most of these are one-line or one-toggle fixes, and the AI Fix Pack gives step-by-step instructions you can paste into Cursor or Claude to apply.

LaunchPal provides launch readiness checks, not a professional penetration test.