> ## Documentation Index
> Fetch the complete documentation index at: https://docs.launchtoday.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Security best practices for your production app

## Overview

Security is critical for any production app handling user data. This section covers essential security practices for Launch applications.

## Prerequisites

* Production environment configured
* Access to deployment logs and secrets manager

<CardGroup cols={2}>
  <Card title="Mobile Security" icon="lock" href="/security/mobile-security">
    Secure storage, data protection, and device security
  </Card>

  <Card title="Security Checklist" icon="check" href="/security/checklist">
    Pre-launch security review checklist
  </Card>
</CardGroup>

## Built-in Security Features

Launch includes these security features out of the box:

| Feature                  | Description                             |
| ------------------------ | --------------------------------------- |
| **Presigned URLs**       | S3 uploads without exposing credentials |
| **Secure Token Storage** | Expo SecureStore for sensitive data     |
| **HTTPS Only**           | All API communication over TLS          |
| **Input Validation**     | Zod schemas for all API inputs          |
| **CORS Configuration**   | Restricted origins for API access       |
| **Session Management**   | Secure session tokens with Better Auth  |

## Security Principles

<AccordionGroup>
  <Accordion title="Never trust client input">
    Always validate and sanitize all data coming from the client, even if it
    seems to come from your own app.
  </Accordion>

  <Accordion title="Principle of least privilege">
    Only request permissions you need. Only expose data the user should access.
  </Accordion>

  <Accordion title="Defense in depth">
    Multiple layers of security. If one fails, others still protect.
  </Accordion>

  <Accordion title="Keep secrets secret">
    Never commit secrets to git. Use environment variables and secret managers.
  </Accordion>
</AccordionGroup>

## Steps

## Quick Security Wins

<Steps>
  <Step title="Enable HTTPS">Ensure your production API uses HTTPS only</Step>

  <Step title="Set secure headers">
    Add security headers to your API responses
  </Step>

  <Step title="Rate limit auth endpoints">
    Prevent brute force attacks on login
  </Step>

  <Step title="Validate all inputs">
    Use Zod schemas for every API endpoint
  </Step>

  <Step title="Audit dependencies">Run `pnpm audit` regularly</Step>
</Steps>

<Warning>
  **Before launching**, complete the [Security Checklist](/security/checklist)
  to ensure you haven't missed any critical security measures.
</Warning>

## Troubleshooting

* **Leaky logs**: review logging config and sanitize inputs
* **Auth failures**: verify provider env vars and callback URLs

## Next Steps

* [Security Checklist](/security/checklist)
* [Mobile Security](/security/mobile-security)
