APP SECURITY BY TYPE
Generic security advice misses the threats specific to your app's category. A SaaS multi-tenant boundary failure is different from a marketplace escrow exploit, which is different from a healthcare PHI leak. Pick your type — we cover the failure modes that actually apply.
Why “app type” matters more than “tech stack”
Two apps built on the same stack — say, Next.js + Supabase + Vercel — can have wildly different threat models depending on what they do. A SaaS that handles team collaboration cares about tenant isolation; an e-commerce app cares about checkout-flow integrity; a healthcare app cares about PHI exposure under HIPAA. The stack-level controls overlap, but the category-specific failure modes are what attackers actually go after.
This is especially true for AI-generated apps: the model knows how to scaffold a generic CRUD app, but the category-specific guardrails (escrow timing, PHI minimum-necessary access, financial reconciliation, content moderation) are rarely present in the first commit. They have to be added explicitly, with awareness of what kind of app you’re building.
Pick your category
| If your app is mostly… | Start here | Critical concerns |
|---|---|---|
| Selling things | E-commerce security | Checkout integrity, payment fraud, account takeover, inventory abuse |
| Multi-tenant SaaS | SaaS security | Tenant isolation, RBAC, customer data segregation, billing tampering |
| Buyer/seller platform | Marketplace security | Escrow flows, fake listings, review manipulation, account verification |
| Health-related | Healthcare app security | PHI exposure, HIPAA, audit logs, consent flows, breach notification |
| Money / payments | Fintech security | Transaction integrity, KYC/AML, regulatory reporting, fraud detection |
| User-generated content / social | Social media security | Content moderation, abuse vectors, DM privacy, account recovery |
| Editorial / publishing | CMS security | Admin access control, draft leakage, file upload risks, plugin auditing |
| API for other apps to consume | API / backend security | Auth, rate limits, schema enumeration, BOLA, API key lifecycle |
| Personal blog | Blog security | Comment spam, admin compromise, asset hijacking, abandoned-plugin risk |
| Wrapping an LLM | AI wrapper security | Prompt injection, key exfiltration, cost abuse, output safety |
| Listings / directory site | Directory site security | Scraping, listing fraud, paid-tier bypass, claim flows |
| Community / forum | Community platform security | Moderation tooling, doxxing, account takeover, ban evasion |
Cross-cutting concerns (apply to most categories)
Regardless of category, every app needs these baselines — start with the free security self-audit and the vibe code scanner, then layer category-specific controls.
- Authentication and session integrity. No matter the category, a broken auth model means everything else is moot. Pair with the authentication implementation guide.
- Authorization beyond “logged in.” Authn says who you are; authz says what you can do. Most app-type-specific exploits are authorization failures — IDOR/BOLA on order IDs (e-commerce), tenant hopping (SaaS), patient record peeking (healthcare). See authorization patterns.
- Rate limiting and abuse protection. Different categories see different abuse: scraping (directory), credential stuffing (everything), enumeration (API). The mechanism is the same; the thresholds differ. See API abuse protection.
- Audit trails appropriate to the category. Healthcare and fintech mandate them; SaaS and marketplaces benefit; blogs and personal sites can skip. The right level depends on what regulators and incident-response teams will need.
How to use this hub
- Read the page that matches your primary app type. If your app is two things (e.g. SaaS that processes payments), read both — combine the controls.
- Map each finding in your app’s category guide to a backend control. Most reference backend-security sub-pages.
- Run the free scans appropriate to your stack to verify what you implemented.
- For regulated categories (healthcare, fintech), pair with the compliance checklist — the engineering controls map directly to the audit requirements.
Common cross-category mistakes
- Building “users” as a single concept across an obviously multi-role app. A marketplace has buyers, sellers, and admins; a SaaS has owners, members, and external collaborators. Treating them as one flat
userstable with arolecolumn is the seed of every IDOR finding the category attracts. - Trusting the client to enforce category-specific business rules. “The frontend hides the buy-now button if the listing is your own” is not a control. The backend has to refuse the action.
- Importing a category’s tech stack without its security posture. Copying a SaaS template into a healthcare context inherits the SaaS authn/authz patterns — which probably aren’t HIPAA-compliant. Stack-without-controls is half the work.
- Logging too much, monitoring too little. Categories with regulatory scrutiny (healthcare, fintech) need audit logs, not just debug logs. The first is a deliberate, structured, retained record; the second is whatever the framework dumped.
- Treating account recovery as an afterthought. “Forgot password” + “lost MFA device” is the highest-value attack surface in every category that has accounts. Most exploits route through there. Design it before you ship signup.
Related hubs
- Backend Security — the controls every category builds on.
- Deployment Security — the platform-level controls that wrap your app.
- Agentic Coding Security — extra controls when an AI agent wrote the code in this category.
- Safety Hub — platform-by-platform reviews (Lovable, Bolt, Cursor, etc.) that often determine your starting security posture.
- Compliance Checklist — concrete GDPR/SOC2/HIPAA control mappings.
SCAN YOUR APP TYPE
Generic security is generic. VibeEval's scanner adjusts based on your app's architecture. 14-day trial. No card.
