SaaS platforms are high-value targets: they hold data for multiple customers, run continuously on public internet endpoints, and are often built by small teams moving fast. The combination creates systematic security risks that attackers know how to exploit. This checklist covers the controls that eliminate the most common vulnerability classes.

Authentication & Access Control

• Multi-factor authentication mandatory for all admin and privileged users
• OAuth 2.0 / OIDC with short-lived access tokens (15 min max), long-lived refresh tokens stored securely
• Role-based access control (RBAC) with deny-by-default — users get no permissions unless explicitly granted
• Separate authentication contexts for users and service-to-service calls; no shared credentials

Data Security

• Encryption at rest for all customer data — use cloud KMS, not application-managed keys
• TLS 1.2+ for all data in transit; enforce HSTS with a minimum 6-month max-age
• Tenant data isolation at the database level — row-level security or separate schemas, not application-layer filters
• Audit logs for all data access and mutations — immutable, stored outside the primary database

Application Security

• Parameterised queries everywhere — no string concatenation in SQL
• Input validation at every API boundary — reject malformed requests before they reach business logic
• Content Security Policy headers to prevent XSS; sanitise all HTML output
• Rate limiting on all authentication endpoints; exponential back-off on failed login attempts
• Dependency scanning in CI — flag known CVEs before they reach production

Operational Security

• Principle of least privilege for all service accounts and IAM roles
• Secrets management via a vault (HashiCorp Vault, AWS Secrets Manager) — no secrets in environment variables or source code
• Automated security scanning in your deployment pipeline
• An incident response plan that has actually been rehearsed