Thanks! This is definitely the part that kept me up at night as a non-traditional dev.
My philosophy was to write as little security code as possible myself and rely on battle-tested infrastructure:
Auth & User Data: I rely entirely on Supabase Auth (which is based on the GoTrue API). I don't touch password hashing or session management logic directly.
Data Access: I use PostgreSQL Row Level Security (RLS) policies extensively. Every request to the DB has to pass a policy like auth.uid() = company_id. This ensures that even if there’s a bug in my frontend code, the database layer rejects unauthorized access.
Inputs: I use Zod for strict schema validation on all API routes to prevent weird injections before they even hit the DB.
Since this is for Oil & Gas (sensitive compliance data), I also made a hard rule: No AI agents have write-access to the database. The AI only suggests text/codes in the UI, and a logged-in human must click "Save."
My philosophy was to write as little security code as possible myself and rely on battle-tested infrastructure:
Auth & User Data: I rely entirely on Supabase Auth (which is based on the GoTrue API). I don't touch password hashing or session management logic directly.
Data Access: I use PostgreSQL Row Level Security (RLS) policies extensively. Every request to the DB has to pass a policy like auth.uid() = company_id. This ensures that even if there’s a bug in my frontend code, the database layer rejects unauthorized access.
Inputs: I use Zod for strict schema validation on all API routes to prevent weird injections before they even hit the DB.
Since this is for Oil & Gas (sensitive compliance data), I also made a hard rule: No AI agents have write-access to the database. The AI only suggests text/codes in the UI, and a logged-in human must click "Save."