saas-security
SaaS Security Best Practices
Expert guidance for securing SaaS applications — authentication, authorization, API protection, session management, and defense against common attacks.
Core Principles
- Defense in depth — multiple layers, never rely on a single control
- Least privilege — grant minimum access needed, default deny
- Fail secure — errors should deny access, not grant it
- Don't roll your own crypto — use proven libraries and standards
- Assume breach — design systems to limit blast radius
Authentication
Password Security
# Use bcrypt with sufficient cost factor (default 12 is good)
defmodule MyApp.User do
More from hwatkins/my-skills
elixir-tdd
Test-driven development enforcement for Elixir and Phoenix. Requires failing tests before implementation. Use when implementing features, fixing bugs, or when code quality discipline is needed.
23spam-prevention
When the user needs to prevent spam signups, bot accounts, fake registrations, or abuse of signup/trial flows. Also use when mentioning "spam accounts," "fake signups," "bot registrations," "disposable emails," "signup abuse," or "trial fraud." For broader security concerns, see saas-security.
14elixir-otp
OTP patterns for Elixir — GenServer, Agent, Task, ETS, supervision trees, Registry, and process design. Use when designing concurrent systems, stateful processes, or deciding when (and when NOT) to use processes.
8rust-tdd
Test-driven development enforcement for Rust. Requires failing tests before implementation. Use when implementing features, fixing bugs, or when code quality discipline is needed.
5rust-core
Expert Rust development with ownership, borrowing, lifetimes, traits, error handling, and idiomatic patterns. Use for any Rust code.
4rust-async
Async Rust with Tokio, futures, concurrency patterns, channels, and performance. Use when building async services, networking, or concurrent Rust applications.
4