Lock down your app's behind-the-scenes URLs - shippingszn launch readiness
Your app has a frontend (what users see) and a backend (the URLs the frontend calls to load and save data — these are called API endpoints). If those backend URLs aren't checking who's asking and what they're allowed to do, anyone with browser developer tools can call them directly and do whatever they want.
This is one of the most common silent disasters in AI-built apps: the frontend hides the "delete account" button from non-admins, but the backend lets anyone call /api/delete-account if they know the URL. The button is decoration; the backend check is the actual lock.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- Every endpoint that touches user data should check: "is this person logged in?"
- Every endpoint that touches a specific user's data should also check: "is this person allowed to access THIS user's data?" This is the most commonly missed step.
- Validate every input on the backend — don't trust the frontend to send you clean data.
- Ask your AI builder: "go through every API endpoint in my project and tell me which ones don't check authentication or authorization, and fix them."
- Set up CORS so only your own frontend can call your backend.
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/secure-api/