Node.js Security Engineer — Harden Multi-Tenant SaaS for Production Launch

Posted 2 weeks ago

Worldwide

Summary

We're a multi-tenant real estate SaaS platform (Node.js / Express, Supabase/PostgreSQL, Stripe) preparing to launch to 500+ paying users. We've already run our own security audit and know what needs fixing — we need an experienced engineer to harden the app and get it production-ready. This is a finite, well-scoped engagement, not an open-ended build. You'll be working from a documented list of findings. WHAT NEEDS TO BE DONE: - Lock down authentication/authorization: ensure every API route enforces auth (currently many do not) and that object-level access is checked on every request (BOLA prevention) - Multi-tenant data isolation: verify and harden PostgreSQL Row-Level Security scoped by org_id, with a middleware backstop so a single bug can't leak cross-tenant data - Fix a static-file serving misconfiguration that currently exposes server-side files - Remove hardcoded secret fallbacks; enforce proper environment-variable handling - Implement per-user rate limiting (including on expensive AI endpoints to prevent cost-exhaustion abuse) - Lock down CORS, add security headers (CSP, HSTS), reduce request body limits - Build an automated cross-tenant test suite that proves one tenant cannot access another's data - Review and confirm Stripe webhook handling and billing security - Help finalize deployment to production REQUIRED EXPERIENCE: - Demonstrable production security work on Node.js/Express APIs - Hands-on multi-tenant SaaS architecture with PostgreSQL Row-Level Security - Familiarity with the OWASP API Security Top 10 - Supabase Auth (JWT/JWKS verification) - Experience taking an app from "works" to "production-hardened and safe for real customer data" HOW TO APPLY: In your first message, briefly tell us: what's the difference between authentication and authorization, and why is broken object-level authorization (BOLA) one of the most common API vulnerabilities? (We want to know you actually do this work — please don't send a generic proposal.) This is a milestone-based engagement. We'll start with a scoping call to walk through our audit findings together.

  • Not Sure
    Hourly
  • 1-3 months
    Duration
  • Intermediate
    Experience Level
  • $15.00

    -

    $35.00

    Hourly
  • Remote Job
  • Ongoing project
    Project Type

Contract-to-hire opportunity

This lets talent know that this job could become full time.
Learn more
Skills and Expertise
Mandatory skills
PostgreSQL
Node.js
Multi-Factor Authentication
Activity on this job
  • Proposals:50+
  • Last viewed by client:2 weeks ago
  • Interviewing:
    24
  • Invites sent:
    4
  • Unanswered invites:
    0
About the client
Member since Apr 1, 2026
  • United States
    6:35 PM

Explore similar jobs on Upwork

Cin 7 Core and QuickBooks Integration SpecialistFixed-price‐ Posted 1 month ago
Intuit QuickBooks
Accounting
Bookkeeping
Windows Administration
Git
WordPress
PHP
MySQL
JavaScript

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo