Security
Protect your SaaS application from threats and vulnerabilities
Kaizen’s Built-in Security Architecture
The below outlines how Kaizen’s architecture and technology choices protect your application against common security threats. Our stack is designed with security-first principles while remaining developer-friendly.
Infrastructure Protection
DDoS Protection
- Vercel Edge Network automatically mitigates DDoS attacks through their global edge network, load balancing, and traffic filtering
- Attack traffic is filtered before reaching your application servers
API Abuse Prevention
- Convex Rate Limiting prevents API abuse with built-in rate limiting capabilities
- Different throttling rules for sensitive endpoints (auth, payments)
- IP-based and fingerprinting techniques to identify abusive clients
- Automatic rate limiting responses when limits are exceeded
Application Security
Injection Attacks
- Convex Functions use parameterized queries and built-in validation, eliminating injection risks
- TypeScript Validation ensures all inputs are strictly typed and validated before processing
- Content Security Policy headers prevent XSS attacks
Authentication Security
- Clerk provides enterprise-grade authentication (and DDoS protection) with advanced security features
- Secure HTTP-only cookies for session management
- CSRF protection built into authentication flows
- Multi-factor authentication options for additional security
- Ban and impersonate users from your app with Clerk
Data Protection
- Convex provides secure database access with built-in security policies
- Row-level security in database for multi-tenant setups
- Environment variables securely managed through Vercel and Convex
Payment Security
- Polar.sh handles payment processing with secure payment flows
- Card details never touch our servers, eliminating PCI compliance burden
- Strong customer authentication (SCA) for European payments
- Built-in fraud detection and prevention mechanisms
Compliance & Best Practices
- Framework Security Updates automatically applied through dependabot
- HTTP Security Headers implemented according to OWASP recommendations
- Content Security Policy restricts resource loading to trusted sources
- Input sanitization throughout the application
- SOC 2 compliance for enterprise applications
Ongoing Protection
- Dependabot alerts for vulnerable packages
- Vercel’s monitoring detects unusual traffic patterns
- Convex Analytics provides visibility into API usage and potential abuse
Remember that no system is 100% secure, but Kaizen implements industry best practices across the stack. The architecture uses battle-tested cloud services that handle billions of requests daily, each with dedicated security teams and infrastructure.
If you have specific security requirements or concerns, please reach out to the community on Discord or GitHub.
Security should be a priority from day one. While you can iterate on features, security breaches can be catastrophic for early-stage companies.
A good boilerplate and infrastructure will usually cover the basics, but you should always be on the lookout for new threats and vulnerabilities.
We’ve gathered some resources below to help you get started.
Essential Resources
- DefendSaaS - Comprehensive guide for securing your SaaS application, including:
- Preventing abuse and fraud
- DDoS protection strategies
- Authentication security best practices
- API security patterns
- Compliance considerations
Regular Security Tasks
Weekly
- Update dependencies
- Review user access
- Check backup status
Monthly
- Security patches
- Access review
- Policy updates
Quarterly
- Security audit
- Penetration testing
- Policy review
If you have some capital, you can consider using one of these agencies: ShipSecure or Jolt Security to audit your application for you.
Additional Tools
-
Security Scanning
- ProjectDiscovery - Open-source vulnerability scanning platform that focuses on exploitable vulnerabilities, used by 100k+ security pros. Includes:
- Real-time attack surface monitoring
- Custom exploit detection via Nuclei framework
- False positive elimination
- CI/CD integration
- OWASP ZAP - Free security testing tool
- Snyk - Dependency vulnerability scanning
- SonarQube - Code quality and security review
- ProjectDiscovery - Open-source vulnerability scanning platform that focuses on exploitable vulnerabilities, used by 100k+ security pros. Includes:
-
Monitoring
-
Compliance
- Vanta - Security compliance automation
- Drata - Security and compliance automation
- ComplyCube - KYC and AML compliance
Code Security Tools
Rate Limiting with Convex
Kaizen leverages Convex’s built-in rate limiting capabilities to protect your API endpoints from abuse. Convex provides serverless-friendly rate limiting that scales automatically with your application.
Rate limiting is crucial for protecting your API endpoints from abuse and ensuring fair usage.
-
Configure rate limiting in your Convex functions
Convex provides built-in rate limiting that you can configure in your function definitions:
-
Different rate limits for different endpoints
You can set different rate limits based on the sensitivity of your endpoints:
Rate limiting configuration
Convex provides sensible defaults for rate limiting:
- Default rate limit: 100 requests per minute per user
- Customizable per function: You can override defaults for specific functions
- Automatic scaling: Rate limits scale with your application usage
Testing rate limits locally
To verify your rate limits are working:
-
Send multiple rapid requests to a Convex function
You can use the Convex dashboard or your application to send multiple requests to a rate-limited function.
-
Check rate limit responses
When rate limits are exceeded, Convex will return appropriate error responses with rate limit information.
-
Monitor in Convex dashboard
The Convex dashboard provides visibility into rate limiting and API usage patterns.
Implementing rate limiting on new functions
To add rate limiting to a new Convex function:
-
Add rate limiting configuration
-
Use different rate limits for different operations
Deploying to production
-
Rate limits are automatically applied
Convex rate limiting is automatically applied when you deploy your functions to production.
-
Monitor usage in Convex dashboard
-
Use a specific limiter (optional)
Deploying to production
-
Create a production Upstash Redis database
Follow the same steps as for development, but choose an appropriate plan and region for your production needs.
-
Add environment variables to your hosting platform
Add the Upstash credentials to your hosting platform (e.g., Vercel, Netlify):
UPSTASH_REDIS_REST_URL
UPSTASH_REDIS_REST_TOKEN
-
Using Vercel integration (recommended)
If you’re deploying to Vercel, you can use the Upstash integration:
a. Go to the Vercel dashboard for your project
b. Navigate to “Settings” > “Integrations”
c. Search for “Upstash” and click “Add Integration”
d. Follow the steps to link your Upstash account
e. Select your Redis database to connect to your Vercel project
This will automatically set up the environment variables for you.
Common Issues & Troubleshooting
Rate limiting isn’t working
- Verify your Upstash Redis credentials are correctly set in your environment variables
- Check if your Redis database is accessible from your application
- Ensure you’re applying rate limiting correctly in your API route
Getting Redis connection errors
- Verify your Upstash Redis database is active
- Check network connectivity between your application and Upstash
- Ensure your token has the correct permissions
Rate limits are too restrictive or too lenient
Adjust the rate limit configuration in lib/ratelimit.ts
based on your traffic patterns:
Rate limiting is only as good as its configuration. Monitor your API usage and adjust limits as needed to balance security and user experience.