The security baseline customers now expect
Even early-stage prospects will ask for SSO, audit logs, and a DPA. The good news: a competent baseline is achievable from day one if you bake it in.
Authentication
- Use a managed provider (Auth0, Clerk, Cognito, or your own with Lucia / Better Auth).
- Enforce MFA for admin users; offer optional MFA to end users.
- Issue short-lived access tokens (15 min) with refresh tokens; rotate on use.
- Always set the
Secure,HttpOnly, andSameSite=Laxcookie flags.
Authorization
- Centralise permission checks behind a single
can(actor, action, resource)function. - Avoid client-side authorization decisions; the UI hint and the server check are separate things.
- Audit every action that changes state — actor, action, resource, timestamp, IP.
Data protection
- TLS 1.2+ everywhere; HSTS preloaded on the apex domain.
- At-rest encryption is table stakes — confirm your DB and object storage have it on.
- Treat secrets like uranium: store them in a secret manager, rotate annually, never in env files committed to git.
- Mask PII in logs and error reports.
Network and tenancy
- Use private networks for service-to-service traffic.
- Add per-tenant rate limits at the edge.
- Enforce row-level security at the database layer if you use a pool model.
Compliance
You do not need to be SOC 2 certified on day one, but you should be audit-ready: every control documented, every change reviewable, every access logged. Then certification is a six-week exercise instead of a six-month panic.
A 10-line checklist
- MFA on all admin accounts.
- SSO via SAML/OIDC available for enterprise.
- Cookies are secure, HttpOnly, SameSite.
- Tokens rotate; refresh tokens are revocable.
- Authorization is centralised and tested.
- Audit log captures every state change.
- Secrets live in a vault; CI never logs them.
- PII is redacted from logs and traces.
- Backups exist and are restored quarterly.
- There is a named incident response owner.