Secure Your App

VULK generates code with security fundamentals built in, but there are additional steps you should take before going to production.

Authentication Security

When VULK generates authentication:

• Passwords are hashed with PBKDF2 (never stored in plain text)
• JWT tokens have expiration times
• Protected routes check authentication before rendering

What You Should Do

• Change the default demo credentials before going live
• Set strong passwords for admin accounts
• Enable HTTPS (automatic when deployed via VULK)

Environment Variables & Secrets

If your app uses API keys (Stripe, external APIs, etc.):

• Never hardcode secrets in your source code
• Use VULK's Secrets Manager to store API keys
• When exporting to GitHub, add .env to your .gitignore

Generated Backend Security

VULK-generated backends include:

• JWT authentication with token refresh
• Input validation on API endpoints
• Parameterized SQL queries (prevents SQL injection)
• CORS configuration

What to Review

• Check that sensitive endpoints require authentication
• Verify that user data queries are scoped to the authenticated user
• Test that invalid inputs are rejected properly

Deployment Security

When you deploy via VULK:

• HTTPS is automatic — SSL certificates are provisioned for all deployments
• CDN caching protects against basic traffic spikes
• Static assets are served from Cloudflare's edge network

Custom Domain Security

• Always use HTTPS (enforced by default)
• Set appropriate CORS headers if your frontend and backend are on different domains

Code Export Security

When exporting code to GitHub or ZIP:

• Review for any hardcoded credentials or API keys
• Check .env.example to ensure no real values are included
• Run a security scan (like npm audit) on the exported code

Reporting Security Issues

If you discover a security vulnerability in VULK or VULK-generated code, contact us at security@vulk.dev. We take all reports seriously and respond within 24 hours.