For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Overview
Security in TurboStarter is layered: keep secrets on the server, enforce auth in the API, isolate tenants by organization, and verify every external webhook.
TurboStarter is built so the secure path is the default path. Auth runs through Better Auth, the API is guarded with Hono middleware, secrets stay in server-only packages, and third-party callbacks are signature-verified before they mutate data.
This section is a security playbook - how the pieces fit together, what you must never break, and what to double-check before production.
Be mindful
Security is not a one-time setup. Revisit these practices whenever you add endpoints, providers, or client features that touch sensitive data.
Security model
Defense in TurboStarter is application-level and package-level by default:
| Layer | What it protects | Where it lives |
|---|---|---|
| Package boundaries | Secrets and DB clients never ship to the browser | @workspace/*/server, @workspace/auth/client/* |
| Environment validation | Missing or mis-scoped secrets fail early | envin presets per package |
| Session auth | Only signed-in users reach protected UI and APIs | Better Auth + enforceAuth |
| Authorization | Roles and org membership gate mutations | RBAC + enforceOrganizationPermission |
| Input validation | Untrusted payloads are rejected before handlers run | Zod + validate middleware |
| External integrations | Billing and task webhooks cannot be forged | Signature verification |
Unlike Supabase-first kits that lean on Row Level Security, TurboStarter treats every API route and Server Component as responsible for authorization. That matches the Hono + Drizzle stack: you filter by the verified session and organization, not by trusting IDs from the client alone.
Each of these topics is covered in more detail in the following guides:
Server / client boundaries
Anything passed into a Client Component is public. Use package ./server and ./client entry points so secrets and DB clients never reach the browser.
Secrets & environment
Keep secrets out of NEXT_PUBLIC_ variables and git. Use envin presets, .env.local for local secrets, and your host for production values.
Access control
Verify sessions on the server, protect Hono routes with middleware, and never trust client-supplied organization or user IDs for authorization.
Data validation
Validate every untrusted query, body, and param with Zod before handlers run. Use the shared validate middleware and keep schemas next to your API modules.
Integrations
Verify webhook signatures, keep storage buckets private with short-lived signed URLs, and never ship third-party API keys to the client.
Checklist
A pre-launch security checklist covering secrets, auth, API authorization, webhooks, storage, and dependency hygiene.
How is this guide?
Last updated on