[00 // secure-by-default saas boilerplate]

The SaaS starter that won't leak your users' data.

  • RLS on every table
  • verified Stripe webhooks
  • rate limiting
  • strict headers
  • checked before every deploy
Get BaseGuard — $49 Read the audit

One-time payment. Instant download. Free updates.

BaseGuard dashboard: signed-in user view with subscription status
9/9 security checks passed
7/7 tables with RLS enforced
40 bundle files scanned, zero secrets found

[01 // audit]

Most starters ship features. Security is left as an exercise.

Auth pages and a pricing table are the easy 80%. The 20% that protects your users is what usually gets skipped — until it's on the front page of a breach writeup.

typical-starter → baseguard.diff 6 hunks · security surface

--- a/typical-starter

+++ b/baseguard

@@ row-level security @@

-off by default. one missing policy exposes every row

+enabled on every table, with example policies to copy

@@ secrets in the client bundle @@

-nobody checks. one wrong import ships your API key

+server-only secrets, scanned on every security-check run

@@ rate limiting @@

-not included. login endpoints take unlimited guesses

+on auth and API routes out of the box

@@ security headers @@

-framework defaults only

+CSP, HSTS and X-Frame-Options configured and documented

@@ stripe webhooks @@

-often trusted blindly — anyone can fake an event

+signature verified before any event is processed

@@ input validation @@

-ad hoc, if at all

+zod schemas on every server action and route handler

every "+" line ships enabled by default. none of it is a TODO.

[02 // ship]

A real app, not a demo.

Auth, billing, dashboard and tests — wired together and ready to rename. Clone it, run one command, start building your actual product.

localhost:3000/dashboard
BaseGuard dashboard with account, subscription and security status for a signed-in user

Auth

src/lib/auth/
  • Supabase Auth on Postgres, ready for email and OAuth
  • Row Level Security enabled on every table, with example policies
  • Rate limiting on every auth route

guards.tsactions.tssupabase/migrations/

Billing

src/lib/billing/
  • Stripe subscriptions, checkout to customer portal
  • Webhook signatures verified before processing
  • Customer portal for upgrades and cancellations

stripe.tsapi/webhooks/stripe/route.ts

Security

src/lib/security/
  • zod validation on every server action
  • Strict headers: CSP, HSTS, X-Frame-Options
  • Rate limiting on API routes
  • npm run security-check — scans for leaked secrets, missing RLS, missing headers

headers.tsrate-limit.tsscripts/security-check.mjs

DX

src/
  • Next.js 15 App Router, TypeScript, Tailwind
  • Vitest + Playwright smoke tests
  • Deploy guides for Vercel and Cloudflare

middleware.tstests/e2e/smoke.spec.ts

[03 // verify]

The “before you deploy” checklist.

This is the actual checklist from the BaseGuard docs. It exists because every item on it has burned a real app somewhere. The boilerplate handles each one — the list is how you verify it.

npm run security-check automates the secrets, RLS and header checks. The rest take about five minutes.

npm run security-check
Real terminal output of the security-check script with all nine checks passing
Real output from the shipped script — not a mockup.
SECURITY-CHECKLIST.md
  1. 01RLS enabled on every table — and the policies actually reviewed
  2. 02No secrets in the client bundle
  3. 03.env files out of git, .env.example committed instead
  4. 04Security headers set: CSP, HSTS, X-Frame-Options
  5. 05Stripe webhook signatures verified
  6. 06Rate limits live on auth and API routes
  7. 07Every server action validates input with zod
  8. 08Smoke tests green: Vitest + Playwright
Included in the download as a markdown file — keep it in your repo, run it before every launch.

[04 // checkout]

Pay once. Ship as many products as you want.

base

$49one-time

The full application with every security default. Everything you need to launch.

  • Full Next.js 15 app: auth, billing, dashboard
  • All security defaults + security-check script
  • Vitest + Playwright smoke tests
  • Docs + deploy guides for Vercel and Cloudflare
Get Base — $49
everything + admin, orgs, emails, export
pro

$149one-time

For products that need teams, admin and email from day one.

  • Transactional emails via Resend
  • Admin panel
  • Teams / organizations multitenancy
  • Data export
Get Pro — $149
Instant download. Free updates. License: personal and commercial use. No resale of the source.

[05 // faq]

Fair questions.

BaseGuard is built on Supabase: Postgres for data, Supabase Auth for sessions, and RLS policies on every table. That combination is the core of the security model, so yes — Supabase is the supported path.

You own the source, so technically yes. But the RLS policies, auth flow and security-check rules assume Supabase. If you swap it out, the security guarantees become your job to rebuild — budget real time for that.

Three classes of problems: leaked secrets (keys in the client bundle or tracked .env files), missing RLS on any table, and missing security headers. It runs locally in seconds and is meant to be part of your deploy routine, not a one-time audit.

No. Auth and the rest of the app run without Stripe keys. The billing module — checkout, verified webhooks, customer portal — is wired and waiting for when you're ready to charge.

Personal and commercial use: build and sell as many products on top of it as you like. The one thing you can't do is resell or redistribute the boilerplate source itself.

Yes — updates are free and included in the one-time price. No subscription, no "pro updates" tier.

Step-by-step deploy guides are included for Vercel and Cloudflare. Both are covered end to end, including the security headers setup.

$ npm run security-check → passed — 9 checks, 0 critical

Ship your idea, not your users' data.

Get BaseGuard — $49 Get Pro — $149

One-time payment. Instant download. Free updates.