Back to Security
Security10 min read

Auth Security Best Practices for Indie SaaS

Everything a solo developer needs to know about authentication security — sessions, password hashing, rate limiting, and common pitfalls.

May 15, 2026

Authentication is the most security-critical part of any SaaS application. One mistake here and your users' data is exposed. Here's what you need to know as a solo founder shipping your own auth.

Password Hashing is Non-Negotiable

Never store plain text passwords. Never use MD5 or SHA for passwords. Use bcrypt, Argon2, or scrypt with a cost factor of 10-12.

// Good — bcrypt with cost factor 12
const hashed = await bcrypt.hash(password, 12);

// Bad — never do this
const hashed = sha256(password);

Session Management

Use HttpOnly Cookies for Sessions

Store session tokens in HttpOnly, Secure, SameSite cookies. This prevents JavaScript from reading the token and blocks XSS attacks.

Set-Cookie: session_token=<token>; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=604800

Rotate Sessions on Privilege Escalation

When a user logs in or changes their password, issue a new session token. This prevents session fixation attacks.

Set Reasonable Expiration

  • Short-lived sessions: 7 days
  • Remember me: 30 days max
  • Force re-authentication for sensitive actions (password change, billing)

Rate Limit Your Auth Endpoints

Without rate limiting, attackers can brute force passwords. At minimum: 5 failed attempts → 15-minute lockout. 20 failed attempts → 1-hour lockout + email notification. Use IP-based and account-based rate limiting together.

Common Pitfalls

PitfallWhy It's DangerousFix
Returning error on failed loginTells attackers which emails existReturn the same error for "user not found" and "wrong password"
Storing tokens in localStorageAccessible to any XSS attackUse HttpOnly cookies instead
No CSRF protectionAttacker can trigger actions on behalf of userUse SameSite cookies + CSRF tokens
Logging passwordsPasswords end up in log filesNever log request bodies on auth routes