SaaS Security Best Practices: Auth, Authorization, and Data Protection
Security is not a feature — it is a property of your entire architecture. This guide covers the security practices implemented in production SaaS applications like tanstackship.com : authentication with password hashing and session management, role-based and attribute-based authorization, data encryption at rest and in transit, API security with CSRF and rate limiting, and ongoing monitoring for vulnerabilities. Authentication: The Identity Layer Session vs Token-Based Auth Aspect Session Auth JWT Auth Hybrid (Recommended) Storage Server-side (D1/Redis) Client-side (localStorage) Server + client Expiry Server-managed Self-contained Dual expiry Revocation Immediate Difficult (until expiry) Session invalidation + JWT refresh Scale Database lookups per request Stateless Cached sessions XSS risk Lower (HTTP-only cookie) Higher (JS-accessible) HTTP-only cookie for session Implementation with Better Auth // src/lib/auth.ts — using Better Auth with Drizzle import { betterAuth } from " better-auth " import { drizzleAdapter } from " better-auth/adapters/drizzle " import { createDb } from " ../db " export const auth = betterAuth ({ database : drizzleAdapter ( createDb ( env ), { provider : " sqlite " , }), emailAndPassword : { enabled : true , autoSignIn : true , passwordHash : { algorithm : " argon2 " , // Argon2id — OWASP recommended params : { memoryCost : 19456 , timeCost : 2 , parallelism : 1 , }, }, }, socialProviders : { google : { clientId : env . GOOGLE_CLIENT_ID , clientSecret : env . GOOGLE_CLIENT_SECRET }, github : { clientId : env . GITHUB_CLIENT_ID , clientSecret : env . GITHUB_CLIENT_SECRET }, }, session : { expiresIn : 7 * 24 * 60 * 60 , // 7 days updateAge : 24 * 60 * 60 , // Refresh every 24 hours }, }) Password Security Checklist [ ] Passwords hashed with Argon2id (not bcrypt, not scrypt) [ ] Minimum 8 characters, no arbitrary complexity rules [ ] Rate-limited login attempts (5 per minute per IP) [ ] Email verification required before first login [ ] Sessio