Skip to content
The Unsexy Stack Docs

Search is only available in production builds. Try building and previewing the site to test it out locally.

Security

Security in The Unsexy Stack is hardened by default, not left as an exercise. The download includes a security checklist of 22 items mapped to OWASP ASVS Level 1 (the canonical customer-facing claim; the full checklist also covers additional pre-launch items).

What ships hardened

Section titled “What ships hardened”
  • Rate limitingslowapi on the API surface, so a single client cannot hammer endpoints.
  • Locked-down CORS — an explicit allow-list, not a wildcard.
  • Structured logging with request IDs — every request is traceable end-to-end.
  • Pydantic v2 validation — request bodies are validated and typed at the boundary, so malformed input is rejected before it reaches your logic.
  • Signature-verified webhooks — Stripe events are verified before processing (see Billing).
  • JWKS-cached RS256 auth — with a thundering-herd guard (see Auth).

The checklist

Section titled “The checklist”

The shipped docs/SECURITY_CHECKLIST.md walks the 22 OWASP ASVS L1 items with where each is handled in the codebase, plus a set of pre-launch items (secrets handling, HTTPS, headers) you tick off before going live. It is a checklist you can hand to a reviewer, not a marketing bullet.

What it is not

Section titled “What it is not”

This is a single-tenant boilerplate; there is no row-level-security multi-tenancy out of the box. The patterns to extend for B2B multi-tenancy are clean, but the hardening here is the single-tenant production baseline, honestly scoped.