I won’t write anything new in this manual. There are hundreds of books, videos and posts on the topic of securing web and mobile apps, databases, infrastructure and files already.
But you, a vibecoder and indie hacker, need clear steps to secure your young (but growing!) application. So in this guide I will focus on the basics, which may help to reduce most common security pitfalls. I will:
- introduce you to a security mindset – just as indie mindset helps you gain users, a security one helps you deter bad actors
- cover the basic client-server model which powers millions of web and mobile apps
- present best practices in creating secure software
- link to opinionated resources to back up my cheat sheet and help you explore more advanced topics on your own.
Security missteps in many young apps are still a thing. Many of them could’ve been easily avoided but many are still made and when used by bad actors can:
- lead to crashing the site down (best case)
- cause high bills at services you use (middle case) or
- stealing your users data and exposing you to legal responsibility (worst case).
In each case your credibility and your business is at risk. Let’s prevent it!
What This Guide Isn’t
This isn’t an exhaustive security encyclopaedia or a theoretical academic paper. There are hundreds of technologies and use cases for each of them. Developers write more and more apps on top of the frameworks. Each of the technology and framework contains vulnerabilities itself. That is why security in depth is such an important topic. Thus you won’t find here:
- In-depth implementation details for complex security systems
- A tutorial on setting up a next.js web app or adding authentication to Laravel
- A comprehensive catalog of every possible vulnerability
- Guides to complex solutions that usually aren’t needed at early stage
That said I believe that tips I present here are still useful. After all software is all about pushing bytes from one place to another and transforming them in a process. You secure your app by controlling who can see and modify those bytes. This guide shows patterns on how to do that.