Security

WE ASSUME
THE NETWORK
IS HOSTILE.

Every system we build operates as if an attacker is already inside the perimeter. Credentials are rotated, not hoped about. The audit trail is the system, not a feature bolted on. Encryption is end-to-end, not advertised. This page documents how we think about security — at the schema level, at the API surface, at the deployment boundary, and in the day-to-day operation of the systems we put into production.

01 — Threat model

WHO IS
THE ADVERSARY?

Security starts with a question almost no one asks first. The answer shapes every architectural decision downstream — the schema, the API boundary, the audit trail, the deployment topology.

01 SAAS

Other tenants

For multi-tenant SaaS, the adversary includes other tenants — not just external attackers. At scale, one will try to read another's data.

Row-level isolation Scoped authorization Tenant-scoped logs
02 MOBILE

The device itself

Phones get lost, cloned, rooted. The app holds enough to work for the shift — no long-lived secrets, no cached customer data that survives the parking lot.

Short-lived tokens Shift-scoped cache No offline secrets
03 WEB

Automation at scale

For public web products, the adversary is bots probing for known vulnerabilities. We harden against the bottom 99% by being thorough, not clever.

Standard headers Rate limits No debug endpoints
02 — Defense in depth

NO SINGLE LAYER
IS TRUSTED.

Every security boundary fails eventually. The discipline is to assume that and design the next layer accordingly. The diagram below is how a request actually traverses one of our production systems — each layer independently capable of refusing the request.

01
EDGE
Cloudflare in front of every public surface. Bot mitigation, rate limiting, geographic shaping, TLS termination with modern cipher suites only. The attacker reaches our origin only after passing this layer.
CloudflareHSTSTLS 1.3WAF
02
TRANSPORT
Strict transport security across every subdomain. Content security policy with allowed origins explicitly enumerated. Cross-origin resource sharing locked to known clients. Frame-ancestors restricted by host.
CSPCORSframe-ancestorsReferrer-Policy
03
APPLICATION
Token-scoped authentication on every endpoint. Role-based access control checked on every operation, not just on login. Input validation at the boundary. Rate limits per identity, not just per IP. No endpoint trusts the caller's intent.
JWTRBACInput validationRate-limit
04
DATA
Row-level tenant isolation enforced in the database itself. Sensitive columns encrypted at the field level. Backups encrypted at rest. Connection strings stored in a secrets manager, never in environment files committed to source control.
Row-level isolationField-level encryptionEncrypted backupsSecrets vault
05
AUDIT
Every mutation in the system is logged with actor, tenant, timestamp, prior state, new state. The audit log is append-only and tenant-scoped. If we cannot reconstruct what happened to a record six months from now, the system is not finished.
Append-only logActor-tracedTenant-scopedImmutable
03 — Request flow

EVERY REQUEST
PASSES THROUGH.

An inbound request crosses five trust boundaries before it touches business logic. Each gate validates independently. Failure at any layer is contained.

Inbound
01 EDGE
Cloudflare WAF
Bot mitigation
TLS 1.3 termination
Geographic shaping
First refusal layer
02 TRANSPORT
HSTS preload
CSP frame-ancestors
CORS allowlist
Referrer-Policy
Browser-enforced boundaries
03 APPLICATION
JWT verification
RBAC per endpoint
Input validation
Rate limit per identity
No endpoint trusts the caller
04 DATA
Row-level isolation
Field-level encryption
Encrypted backups
Secrets vault
Tenant boundary enforced in the database
05 AUDIT
Append-only log
Actor-traced mutations
Tenant-scoped
Immutable storage
Every change reconstructable six months later
Business logic

Controls at each tier are the defaults — present in every project we ship. Per-engagement additions (multi-factor authentication, field-level column encryption, third-party penetration testing) are scoped to the threat model.

04 — Principles

FIVE CONVICTIONS.

01

Security is engineering, not compliance

A checklist passed before launch is not security. Security is the set of architectural decisions that make the wrong outcome impossible — not unlikely, impossible. The work is structural, not procedural.

02

The audit trail is the system

If we cannot answer who did what, when, with what authority, six months after the fact — the system is incomplete. The audit log is built first, not last. Every mutation traces back through it.

03

Least privilege is the default

No service runs as root. No database user has more permission than its role requires. No endpoint trusts the caller's intent. Defaults restrict; exceptions are documented; access is reviewed.

04

Cryptography is a tool, not a feature

We use standard, audited primitives. We do not invent our own. We rotate keys on a schedule, not when it becomes inconvenient. Where end-to-end encryption is warranted, the server holds nothing it does not need to.

05

Assume breach, design for recovery

The question is not whether a system will be compromised, but whether we can detect, contain, and recover. Backups tested by being restored. Incidents practiced before they happen. The runbook exists before it's needed.

05 — Engagements

WHEN SECURITY IS
A PRIMARY CONSTRAINT.

Some projects place security in the foreground from day one. Regulated industries. Multi-tenant SaaS. Systems handling identity, payments, or sensitive operational data. These engagements follow a different rhythm.

A conversation

BRING US IN
EARLY.

Security retrofitted is security compromised. The right time to think about it is at the schema. Reach out before the first commit, and we will help you build a system that does not need to be rescued later.

START THE CONVERSATION → SEE OUR DISCIPLINES
Keep reading
Next Writing Essays on security as engineering and other decisions that compound. Or Our Work The principles described here translated into production systems.