Back to Vibe Coding
Security for Indie SaaS

SaaS Security for Solo Developers
Who Ship Fast

You don't have a security team. You probably don't even have a penetration testing budget. But your customers trust you with their data anyway. The good news is that the vast majority of security vulnerabilities in indie SaaS products are entirely preventable with a handful of straightforward practices. This guide covers everything you need to know to ship a secure application as a solo developer.

Auth securityAPI securityOWASP top 10Rate limitingSecret managementCSRF protectionXSS prevention

Why Security Matters for Indie Founders

As a solo founder, a security breach is not just a technical problem — it's an existential one. You don't have a PR team to manage the fallout, a legal team to handle liability, or the credibility to bounce back from a data leak. Your entire business rests on trust, and trust takes years to build and seconds to lose.

The common misconception is that security is expensive and complex. It doesn't have to be. The OWASP Top 10 — the most common web application vulnerabilities — are almost all preventable with basic practices that take an afternoon to implement. The problem is that most indie founders don't know what they don't know.

This guide covers the security fundamentals every indie SaaS needs. Auth, sessions, rate limiting, secret management, and deployment hardening. None of it is optional. All of it is doable in a weekend.

Six Security Must-Haves for Every SaaS

Use bcrypt or Argon2 for passwords — never SHA or MD5

A cost factor of 12 makes each hash take ~250ms, which is fast for users but slow for attackers.

Store sessions in HttpOnly cookies, not localStorage

localStorage is accessible via JavaScript. HttpOnly cookies cannot be read by client-side scripts, blocking XSS-based token theft.

Rate limit all auth endpoints

5 failed attempts = 15 minute lockout. 20 failed = 1 hour. Use IP-based and account-based limits together.

Never reveal whether an email exists or not

Always return the same message: "Invalid email or password." Otherwise you leak valid accounts to attackers.

Use environment variables for secrets, never hardcode them

API keys, database URLs, and JWT secrets belong in .env files. AI-generated code might hardcode these — always review before committing.

Add CSRF protection to any action that changes state

SameSite=Strict cookies help, but also add CSRF tokens for critical operations like password changes and billing updates.

Beyond the Checklist: Building a Security Mindset

Security isn't a one-time configuration. It's a mindset. Every time you add a new feature, you should ask yourself: what could go wrong? What if a malicious actor finds this endpoint? What data am I exposing?

When you use AI-assisted development tools — and as a vibe coder, you absolutely should — you need to be extra vigilant. AI models are trained on public code, and they can generate insecure patterns with the same confidence they generate secure ones. Never trust AI-generated security code without understanding what it does.

Your deployment pipeline is also a security boundary. Environment variables should be managed properly, not hardcoded in config files or committed to GitHub. CI/CD secrets should be scoped to only what they need access to. And your database should never be accessible from the public internet.

The goal isn't perfection. The goal is to make yourself a harder target than the next SaaS. Most attackers are opportunistic — they go after low-hanging fruit. A little bit of security effort goes a long way.

Plan Your Security Infrastructure

Use our tools to understand and budget for the services that keep your app secure.

Frequently Asked Questions

Do I need a penetration test for my SaaS?

Not until you have significant revenue or enterprise customers. Focus on the fundamentals first — auth security, rate limiting, proper session management. Those cover 90% of common attack vectors.

Should I use Supabase Auth or build my own?

Use a managed solution like Supabase Auth, Auth.js, or Clerk if you want to move fast. Build your own only if you need complete control or want to avoid third-party dependencies. DIY auth requires careful implementation of password hashing, session rotation, and rate limiting.

How do I handle API keys in my codebase?

Use environment variables (.env) for all secrets. Never commit .env files to Git. Use a secret management tool like Doppler or Infisical if you have multiple environments. Consider encrypting secrets at rest in your database if you store third-party API keys for your users.

Ship With Confidence

Understanding your infrastructure costs helps you budget for the right security tools and services. Use our calculators to plan your spend.

Explore Free Tools