Security Checklist for AI-Generated Apps: Auth, RBAC, Payments
AI can scaffold features in minutes, but shipping safely requires discipline. Use this checklist to harden apps created with developer productivity tools, a subscription app builder AI, or an email/password + OAuth authentication builder. Treat it as guard rails you automate in CI, not a once-a-year document.
Identity and Authentication
- Prefer managed identity: SSO first, then email/password with Argon2id, salted bcrypt, and mandatory MFA.
- Store credentials and keys only in a secrets manager; never in code, repos, or CI logs.
- Short-lived access tokens (≤15 min), refresh tokens bound to device and IP, with rotation and reuse detection.
- OAuth/OpenID scopes per feature; deny by default and display consent screens with clear data use.
- Session fixation and CSRF defenses: SameSite=strict, secure cookies, CSRF tokens, and origin checks.
- Account recovery: step-up verification, signed links with short TTLs, and brute-force rate limits.
RBAC, ABAC, and Data Boundaries
- Model roles and granular permissions in code and database; enforce both in API and UI.
- Use policy engines (OPA/Cedar) for auditability; keep business rules as policies, not scattered ifs.
- Enable row-level security; every query scoped by tenant_id and ownership.
- Cache permissions with versioned tokens; revoke via push or short TTLs to contain blast radius.
- Log authorization decisions including actor, resource, action, and policy version.
Payments and Subscriptions
- Outsource PCI: never touch PANs; rely on tokenized providers.
- Verify webhook signatures and timestamps; process with idempotency keys and retries.
- Represent entitlements explicitly (features, limits) and derive UI/API gates from them.
- Prevent plan spoofing: server-side checks only; reject client claims.
- Guard against abuse: velocity limits, trial device checks, and SCA where applicable.
AI Code and Supply Chain
- Pin dependencies, run SCA/secret scans, and lock transitive versions.
- Review AI-generated code for prompt injection, SSRF, and unsafe eval or deserialization.
- Isolate LLM tools with allow-lists, egress controls, and per-tool tokens.
- Infrastructure as code with policy checks; separate prod, staging, and ephemeral preview envs.
Operations and Testing
- Centralized logging with PII redaction; alert on auth anomalies and payment failures.
- Backups with restore drills; define RPO/RTO and test them quarterly.
- Security headers: HSTS, CSP, X-Frame-Options; enforce TLS everywhere, mTLS internally.
- Threat models per feature, unit/integration tests for auth and RBAC, and recurring pen tests.
Governance and Compliance
- Map controls to SOC 2/ISO 27001; automate evidence from CI, cloud, and ticketing.
- Data maps and DPAs per vendor; document processors, sub-processors, and residency.
- Key management: customer-managed keys optional, rotation policies, and access trails.
- Just-in-time support access with break-glass approval and session recording.
Make the secure path the fast path: codify this list into templates and pipelines. Your AI accelerators remain valuable, but only when every commit keeps users, revenue, and reputation safe. Bake security into every developer workflow.
