5
9 Comments

Building a security audit tool for indie hackers - need your feedback

Hi guys,

I’ve been working on a side project lately: an automated security audit service for small SaaS projects (https://tlsguard.tech/).

I'm a solo dev, and I’ve seen how easy it is to focus on shipping features and completely ignore security until something breaks or an IDOR pops up. I wanted to build something that acts as a "second pair of eyes" to catch the obvious (and some not-so-obvious) stuff before it becomes a problem.

I’m currently refining my audit process and I’d love to hear from other devs:

What's the one thing in security that actually keeps you awake at night?

Have you ever had a security wake-up call that changed how you code?

If you’re open to a quick check of your app's security, let me know! Also, really appreciate any feedback on the landing page or the idea itself.

on July 1, 2026
  1. 1

    This taps into a very real gap in indie SaaS workflows—security is usually treated as a post-launch concern rather than a continuous signal. The “second pair of eyes” framing works because it lowers the perceived expertise barrier while still addressing a high-stakes fear. The key challenge for tools like this is usually not detection, but prioritization—helping founders distinguish between theoretical vulnerabilities and actual exploit paths in their specific stack.

  2. 1

    One thing I’d add for small SaaS security audits: don’t stop at “backups exist.” Ask for the latest restore artifact.

    For me that means: backup id/object, restore target, timestamp, restore command/log, and a couple of smoke checks showing the restored app/db was usable. A pg_dump cron or dashboard screenshot is useful, but it doesn’t prove the recovery path works.

    It’s a good indie-hacker control because the first restore test usually catches boring-but-real problems: stale credentials, missing extensions, wrong Postgres client version, secrets not captured, or a dump that stopped including what you thought it did.

  3. 1

    multi-tenant data isolation, every time. one missing "WHERE tenant_id = ?" and you're serving customer A's data to customer B — and it sails through every test because your fixtures are single-tenant, so nothing catches it until you have real concurrent tenants, which is exactly when it's most expensive. if TLSGuard can flag queries missing tenant scoping, that'd be a killer feature for this crowd.

    1. 1

      Good point. Multi-tenant leaks are expensive to catch late. Black-box limits us here - we can test cross-tenant IDOR manually (user A tries to access user B's data via ID manipulation), but we can't flag missing WHERE clauses without seeing queries.

      What we can catch:

      • IDOR across tenants (if we have 2+ test accounts)
      • Tenant ID enumeration in URLs/APIs
      • Shared resource leaks (uploads, files)

      What we miss:

      • Query-level tenant scoping issues (need code access)

      Would you pay extra for deeper multi-tenant testing, or should it
      be part of the base audit? Curious what price makes sense.

  4. 1

    Hi Mike, I ran the TLSGuard page through PagePulse because your "security audit for small SaaS" angle is strong, but trust has to land very fast here.

    A few things stood out:

    • The entire page below the hero (~y=15%) is rendering as invisible dark content — no text, images, or sections are visible, making the page a single-screen hero with no supporting content, proof, or conversion path
    • Zero trust signals below the fold — no credentials, no testimonials visible. A security audit service selling to startups requires heavy credential validation before any conversion can occur.

    My main read: for this category, the page should quickly answer "what do you check, what do I get back, and why should I trust this with my app?" before going deep into features.

    Hope useful — ping me once you've made changes and I'll re-run it

  5. 1

    Mike, the thing that keeps me up at night with automation systems is API key exposure combined with runaway agent loops. A single leaked key on a misconfigured agent can burn through real costs before you notice. The black-box approach you described makes sense for keeping audits affordable, but do you also look at common SaaS risk areas like exposed .env files, open S3 buckets, or misconfigured CORS policies? Those are the ones that slip through most often for indie devs shipping fast.

    1. 1

      You're right, those are the risks that usually slip through the cracks when you're moving fast. I’ve structured my audit process to address exactly those areas. The service combines automated scanning for infrastructure misconfigurations-like exposed config files, S3 buckets, and CORS issues-with a manual review of logic and potential API key exposures. It’s designed to catch those 'low-hanging' vulnerabilities that often go unnoticed during standard development. You can find more details on how this audit covers these points on my website.

  6. 1

    The dependency supply chain is what keeps me up at night - especially when you're shipping fast and pulling in a new package without really knowing its maintainer's track record. I've had the uncomfortable experience of discovering a dependency had gone unmaintained only after it showed up in a security report.

    Your "second pair of eyes" approach to catch IDOR and auth issues is really valuable though. Those are exactly the things that slip through because we normalize our own code patterns.

    Do you focus your audits on specific vulnerability categories, or do you do a broader check across architecture, dependencies, and code patterns?

    1. 1

      Yes, we focus only on specific vulnerabilities with black-box access. I think that if we conducted a full project architecture review, it would significantly increase the price of our services

Trending on Indie Hackers
I sold $6,773 in 2 weeks, with almost no existing community. User Avatar 52 comments Ferguson is LIVE on ProductHunt today... so I audited their homepage first! User Avatar 37 comments Why Remote Teams Stop Talking (And Don't Even Notice It) User Avatar 33 comments The hardest part isn't building anymore User Avatar 31 comments Built a local-first Amazon profit-by-SKU + QuickBooks/Xero journal tool. Looking for founding users. User Avatar 27 comments Before you build another feature, use this workflow User Avatar 20 comments