Skip to main content

Application settings have sensible defaults for new users

ab-002338 · saas-onboarding.first-run.settings-sensible-defaults
Severity: mediumactive

Why it matters

New users who land in a broken default state — blank required fields, null configuration, a settings page they must complete before anything works — don't file bug reports. They churn silently. ISO 25010 functional suitability covers exactly this failure: the software doesn't do what a new user reasonably expects it to do on first run. Missing defaults also create data integrity hazards: if a default timezone is never set, date math silently breaks on the first query that needs it.

Severity rationale

Medium because blank defaults cause silent functional failures and early churn, but don't expose user data or create a security boundary violation.

Remediation

Define defaults at the database schema level so they're persisted on account creation, not just applied as runtime fallbacks. In prisma/schema.prisma:

model UserSettings {
  id           String  @id @default(cuid())
  userId       String  @unique
  emailNotifs  Boolean @default(true)
  theme        String  @default("system")
  timezone     String  @default("UTC")
  language     String  @default("en")
}

In your account creation handler, call prisma.userSettings.create({ data: { userId } }) immediately after inserting the user — the schema defaults fill the rest. Never rely on application-layer fallbacks to cover missing rows.

Detection

  • ID: saas-onboarding.first-run.settings-sensible-defaults

  • Severity: medium

  • What to look for: Count all settings and configuration fields in the application. For each, classify whether a default value is set (not blank/null/undefined). Enumerate any settings that require configuration before core functionality works.

  • Pass criteria: 100% of settings have explicit defaults. No setting requires configuration before the user can use the core functionality. Defaults are appropriate for new users (not expert-mode settings).

  • Fail criteria: 1 or more required settings have no default value, leaving the user with a blank/broken configuration state. Or: settings page is the first thing a new user must complete before they can access the product.

  • Do NOT pass when: Default values are set in code but the settings UI shows empty/blank fields because the defaults are not persisted to the database on account creation — visual emptiness is NOT a pass even if the backend has fallbacks.

  • Skip (N/A) when: The application has no settings or preferences UI.

  • Detail on fail: "Settings page has required fields with no defaults: [field names]. New users must manually configure these before the application functions correctly."

  • Remediation: In your database schema (e.g., prisma/schema.prisma), use DEFAULT values:

    model UserSettings {
  id              String  @id @default(cuid())
  userId          String  @unique
  emailNotifs     Boolean @default(true)
  theme           String  @default("system")
  timezone        String  @default("UTC")
}

External references

Taxons

user-experiencedata-integrity

History