Skip to main content

Overview

Security is critical for any production app handling user data. This section covers essential security practices for Launch applications.

Prerequisites

  • Production environment configured
  • Access to deployment logs and secrets manager

Mobile Security

Secure storage, data protection, and device security

Security Checklist

Pre-launch security review checklist

Built-in Security Features

Launch includes these security features out of the box:
FeatureDescription
Presigned URLsS3 uploads without exposing credentials
Secure Token StorageExpo SecureStore for sensitive data
HTTPS OnlyAll API communication over TLS
Input ValidationZod schemas for all API inputs
CORS ConfigurationRestricted origins for API access
Session ManagementSecure session tokens with Better Auth

Security Principles

Always validate and sanitize all data coming from the client, even if it seems to come from your own app.
Only request permissions you need. Only expose data the user should access.
Multiple layers of security. If one fails, others still protect.
Never commit secrets to git. Use environment variables and secret managers.

Steps

Quick Security Wins

1

Enable HTTPS

Ensure your production API uses HTTPS only
2

Set secure headers

Add security headers to your API responses
3

Rate limit auth endpoints

Prevent brute force attacks on login
4

Validate all inputs

Use Zod schemas for every API endpoint
5

Audit dependencies

Run pnpm audit regularly
Before launching, complete the Security Checklist to ensure you haven’t missed any critical security measures.

Troubleshooting

  • Leaky logs: review logging config and sanitize inputs
  • Auth failures: verify provider env vars and callback URLs

Next Steps