You've finished building your SaaS application. The UI looks great, the features work, and you're ready to invite real users. Before you hit publish, run through this security checklist. It covers the foundational security basics every app must have to avoid immediate, serious problems.
โน๏ธ Note: This is a beginner checklist, not a full security audit. If you are handling highly sensitive medical or financial data, you need specialized compliance reviews in addition to this list.
๐ Auth & Passwords
Passwords are hashed and salted using bcrypt or Argon2 before being stored in the database.
Secure password reset flow using expiring, single-use tokens sent to the registered email.
Brute-force protection โ account temporarily locks or rate-limits login attempts after repeated failures.
๐ช Sessions & Tokens
Session tokens stored in HttpOnly cookies โ not in localStorage, where JavaScript can steal them.
Sessions expire automatically after a reasonable period of inactivity.
๐ฅ Roles & Permissions
Backend explicitly verifies permissions for every sensitive action โ not just the frontend UI.
IDOR protection โ changing /users/1/profile to /users/2/profile cannot expose another user's private data.
๐ API Validation & Rate Limits
All incoming data validated server-side โ frontend validation is a UX improvement, not a security measure.
Rate limiting on API routes prevents a single user from sending thousands of requests and crashing your server.
๐๏ธ Database Access Rules
Database not exposed to the public internet โ accessible only from trusted application servers.
Parameterized queries or ORM used โ prevents SQL injection attacks from user-supplied input.
๐ Secrets Management
All secrets in environment variables โ no API keys or database passwords hardcoded in the codebase.
.env files not committed to Git โ verify your .gitignore includes .env before your first push.
๐ File Upload Safety
File type and size validated on the server before accepting uploads โ prevents malicious scripts disguised as images.
Files stored in cloud storage (like AWS S3) โ not served directly from the same web server running the app.
๐ HTTPS & Domain Settings
HTTPS enforced sitewide โ all traffic encrypted in transit. HTTP requests automatically redirected to HTTPS.
๐ Logging & Alerts
Error logging configured โ a service like Sentry captures production errors silently so you can fix them proactively.
Uptime alerts set up โ you receive a notification before your users notice downtime.
๐พ Backups
Automated daily database backups running via your hosting provider or a cron job.
Restore process tested โ you've confirmed that a backup can actually be restored to a working state.
Related reading: AI-Generated Code Security Risks ยท Production-Readiness Checklist for Beginner Apps ยท How Senior Engineers Plan Apps Before Writing Code