Lock down your app's behind-the-scenes URLs - shippingszn launch readiness
Your app has a frontend (what users see) and a backend (the URLs the frontend calls to load and save data — these are called API endpoints). If those backend URLs aren't checking who's asking and what they're allowed to do, anyone with browser developer tools can call them directly and do whatever they want.
This is one of the most common silent disasters in AI-built apps: the frontend hides the "delete account" button from non-admins, but the backend lets anyone call /api/delete-account if they know the URL. The button is decoration; the backend check is the actual lock.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- Every endpoint that touches user data should check: "is this person logged in?"
- Every endpoint that touches a specific user's data should also check: "is this person allowed to access THIS user's data?" This is the most commonly missed step.
- Validate every input on the backend — don't trust the frontend to send clean data. Client-side Zod is UX; server-side validation is security.
- Return generic errors to users and log detailed errors server-side. Never hand an attacker table names, SQL, stack traces, or schema details.
- Ask your AI builder: "go through every API endpoint in my project and tell me which ones don't check authentication or authorization, and fix them."
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/secure-api/