​

Titan’s Built-in Security Architecture

The below outlines how Titan’s architecture and technology choices protect your application against common security threats. Our stack is designed with security-first principles while remaining developer-friendly.

​

Infrastructure Protection

​

DDoS Protection

• Vercel Edge Network automatically mitigates DDoS attacks through their global edge network, load balancing, and traffic filtering
• Attack traffic is filtered before reaching your application servers

​

API Abuse Prevention

• Upstash Redis Rate Limiting prevents API abuse with configurable limits per endpoint type
• Different throttling rules for sensitive endpoints (auth, payments)
• IP-based and fingerprinting techniques to identify abusive clients
• Automatic 429 responses when limits are exceeded

​

Application Security

​

Injection Attacks

• Drizzle ORM uses parameterized queries, eliminating SQL injection risks
• Zod Validation ensures all inputs are strictly typed and validated before processing
• Content Security Policy headers prevent XSS attacks

​

Authentication Security

• Clerk provides enterprise-grade authentication (and DDoS protection) with advanced security features
• Secure HTTP-only cookies for session management
• CSRF protection built into authentication flows
• Multi-factor authentication options for additional security
• Ban and impersonate users from your app with Clerk

​

Data Protection

• Supabase provides secure database access with row-level security policies
• Row-level security in database for multi-tenant setups
• Environment variables securely managed through Vercel

​

Payment Security

• Stripe handles payment processing in compliance with PCI-DSS Level 1
• Card details never touch our servers, eliminating PCI compliance burden
• Strong customer authentication (SCA) for European payments
• Fraud detection and prevention with ByeDispute

​

Compliance & Best Practices

• Framework Security Updates automatically applied through dependabot
• HTTP Security Headers implemented according to OWASP recommendations
• Content Security Policy restricts resource loading to trusted sources
• Input sanitization throughout the application
• HIPAA compliance for healthcare applications if you use the Supabase TEAM plan

​

Ongoing Protection

• Dependabot alerts for vulnerable packages
• Vercel’s monitoring detects unusual traffic patterns
• Upstash Analytics provides visibility into API abuse attempts

Remember that no system is 100% secure, but Titan implements industry best practices across the stack. The architecture uses battle-tested cloud services that handle billions of requests daily, each with dedicated security teams and infrastructure.

The cursorrules files in the repo recommends the best practices for security across the stack so building in Cursor shouldn’t be an issue.

If you have specific security requirements or concerns, please reach out to me on X/Discord (obaid0000 on Discord, @7obaid on X)

We’ve gathered some resources below to help you get started.

​

Essential Resources

• DefendSaaS - Comprehensive guide for securing your SaaS application, including:
  • Preventing abuse and fraud
  • DDoS protection strategies
  • Authentication security best practices
  • API security patterns
  • Compliance considerations

​

Regular Security Tasks

​

Weekly

• Update dependencies
• Review user access
• Check backup status

​

Monthly

• Security patches
• Access review
• Policy updates

​

Quarterly

• Security audit
• Penetration testing
• Policy review

​

Additional Tools

1. Security Scanning

   • ProjectDiscovery - Open-source vulnerability scanning platform that focuses on exploitable vulnerabilities, used by 100k+ security pros. Includes:
     • Real-time attack surface monitoring
     • Custom exploit detection via Nuclei framework
     • False positive elimination
     • CI/CD integration
   • OWASP ZAP - Free security testing tool
   • Snyk - Dependency vulnerability scanning
   • SonarQube - Code quality and security review

2. Monitoring

   • Sentry - Error tracking and monitoring
   • Datadog - Infrastructure monitoring
   • PagerDuty - Incident response platform

3. Compliance

   • Vanta - Security compliance automation
   • Drata - Security and compliance automation
   • ComplyCube - KYC and AML compliance

​

Code Security Tools

​

ESLint Security Plugin

We recommend using @shipsecure/eslint-plugin-next to automatically detect and prevent security vulnerabilities in your Next.js code:

This plugin automatically detects:

• Insecure URL patterns
• Unsafe inline scripts
• Eval usage
• Common security vulnerabilities
• Other Next.js-specific security pitfalls

​

Rate Limiting with Upstash Redis

Titan already comes with a complete rate limiting system that protects your API endpoints from abuse. The implementation uses Upstash Redis for its serverless-friendly design and excellent performance characteristics.

​

Setting up Upstash Redis

1. Create an Upstash Redis database

   a. Sign up at Upstash

   b. Create a new Redis database

   • Choose a name for your database
   • Select the region closest to your application servers
   • Choose the free plan for development (or appropriate plan for production)

2. Get your Upstash credentials

   After creating your database, you’ll be shown two important credentials:

   • UPSTASH_REDIS_REST_URL
   • UPSTASH_REDIS_REST_TOKEN

   Copy these values to use in your environment variables.

3. Add environment variables

   Add these variables to your .env file:

   UPSTASH_REDIS_REST_URL="your_rest_url"
   UPSTASH_REDIS_REST_TOKEN="your_rest_token"
   

4. Restart your development server

   bun run dev
   

​

Rate limiting configuration

Rate limiting is already set up in lib/ratelimit.ts with sensible defaults:

• API endpoints: 20 requests per 10 seconds
• Authentication endpoints: 5 requests per minute
• Payment endpoints: 10 requests per minute

You can adjust these limits based on your application’s needs by modifying the configuration in lib/ratelimit.ts.

export const rateLimiters = {
  // Modify these values as needed
  api: new Ratelimit({
    redis: Redis.fromEnv(),
    limiter: Ratelimit.slidingWindow(20, "10 s"),
    analytics: true,
  }),
  // ...other limiters
};

​

Testing rate limits locally

To verify your rate limits are working:

1. Send multiple rapid requests to an API endpoint

   You can use a tool like Postman or curl to send multiple requests to your API endpoint.

   for i in {1..25}; do curl -i http://localhost:3000/api/your-endpoint; sleep 0.1; done
   

2. Check the rate limit headers

   After a few requests, you should see rate limit headers in the response:

   • X-RateLimit-Limit: The maximum number of requests allowed
   • X-RateLimit-Remaining: The number of requests remaining
   • X-RateLimit-Reset: The time when the rate limit resets

3. Hit the rate limit

   After exceeding the rate limit, you should get a 429 (Too Many Requests) response.

​

Implementing rate limiting on new API routes

To add rate limiting to a new API route:

1. Import the rate limiting function

   import { applyRateLimit } from '@/lib/ratelimit';
   

2. Apply rate limiting at the start of your route handler

   export async function GET(req: NextRequest) {
     // Apply rate limiting (using default 'api' limiter)
     const rateLimit = await applyRateLimit(req);
     if (!rateLimit.success) {
       return new NextResponse(
         JSON.stringify({ error: "Too many requests" }),
         { 
           status: 429, 
           headers: rateLimit.headers 
         }
       );
     }
     
     // Your API logic here
     
     // Add rate limit headers to successful responses
     return NextResponse.json({ data: yourData }, { headers: rateLimit.headers });
   }
   

3. Use a specific limiter (optional)

   // Use the "auth" limiter instead of the default "api" limiter
   const rateLimit = await applyRateLimit(req, "auth");
   

​

Deploying to production

1. Create a production Upstash Redis database

   Follow the same steps as for development, but choose an appropriate plan and region for your production needs.

2. Add environment variables to your hosting platform

   Add the Upstash credentials to your hosting platform (e.g., Vercel, Netlify):

   • UPSTASH_REDIS_REST_URL
   • UPSTASH_REDIS_REST_TOKEN

3. Using Vercel integration (recommended)

   If you’re deploying to Vercel, you can use the Upstash integration:

   a. Go to the Vercel dashboard for your project

   b. Navigate to “Settings” > “Integrations”

   c. Search for “Upstash” and click “Add Integration”

   d. Follow the steps to link your Upstash account

   e. Select your Redis database to connect to your Vercel project

   This will automatically set up the environment variables for you.

​

Common Issues & Troubleshooting

​

Rate limiting isn’t working

• Verify your Upstash Redis credentials are correctly set in your environment variables
• Check if your Redis database is accessible from your application
• Ensure you’re applying rate limiting correctly in your API route

​

Getting Redis connection errors

• Verify your Upstash Redis database is active
• Check network connectivity between your application and Upstash
• Ensure your token has the correct permissions

​

Rate limits are too restrictive or too lenient

Adjust the rate limit configuration in lib/ratelimit.ts based on your traffic patterns:

// Example: Increase API rate limit to 50 requests per 30 seconds
api: new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(50, "30 s"),
  analytics: true,
}),