How do you define a scope of your MVP?

My MVP for a user functionality is to list a profile on a web app. This includes profile image, the web url and their social media usernames.

I'm building it from scratch on top of firebase. I'm concerned over securities such as protecting public functions from malicious attacks, putting in some logging mechanism to see if the functions take too long to execute, do some testing from an early stage, writing code in a way that it can be easily moved to another platform if needed to.

I sometimes wonder what is the line of over engineering and having a functional reliable MVP. Do you take security matter and other concerns in consideration when building an MVP at the beginning?

How do you draw a line?

  1. 2

    I draw a line the moment I start caring about security and I currently have 0-10 users only.

  2. 1

    IMO it depends on your launch plan, and how you intend to validate whether you've got product-market fit (and whether you've already done this beforehand).

    If for example, you're launching to a select, intimate beta audience, you can get by without perfect security initially. Low traffic, few users, low risk.

    If you're doing a public launch without heavy promotion, I'd go with basic security. For example in Rails, CSRF and SQL injection protection are built in; everything uses SSL these days; requiring authentication is an easy win. Since you're launching without heavy promotion, there's far less traffic so you'll be able to do some validation with minimal risk of malicious attacks.

    If you're doing heavy marketing, AND anticipate it'll actually work and the app will grow quickly, then I'd consider to what degree you should really lock down security. Otherwise 80/20 stuff is probably what I'd aim for (i.e., no glaring security holes), then queue up bigger improvements once you know people actually want the product.

    One exception would be launching on a stack like Wordpress which has lots of known vulnerabilities out of the box. In a case like that I'd do a little to cover the obvious holes (which in WP's case, there are lots of common solutions for - anti-spam plugins, renaming the database table prefixes, etc).

    1. 2

      Thanks! This has actually given me a different perspective to look at this. I don't do heavy marketing and just aim for a small group of people at the beginning. I think I got the answer.

  3. 1

    I use Firebase but only after I've done some validation with earlier prototypes. Validation that could come in the form of low fidelity prototypes, surveys, immersing yourself in the community, etc. If that's already been done and you have 10+ potential users, you can set up an app backed by Firebase. But even here I ask myself if I can cut corners because development takes time.

    Security won't be an issue with Firebase if you make sure that you have proper access control on your Firestore rules, if I understand correctly?

    1. 1

      Thanks for your reply. I agree that development does take time, and that's why I asked myself where to draw the line.

      For validation, I have a landing page up and there're people signed up for it. I chose to build an app on top of Firebase thinking it would be quick, but I just happened to catch myself in development stack.

      Firestore is secured calling from the app directly with security rules, however if I were to use it through cloud functions then it's needed to be protected. Again, that's an optimisation ahead of time I think.

      1. 2

        I see, yeah makes sense! If you're delegating to Cloud Functions, there needs to be some form of guard for accessing documents (security)... which brings us back to your original question. Got it. 😁

        ...drawing a line in the sand. I guess it depends. If it's for your pure curiosity and enjoyment, it could make sense to give it a bit of leeway? 🙂 But if you've been through the motion before and you're looking for things the move the needle, my personal rule would be: is it a value-add? If it doesn't add value for the user, I tend to drop it

  4. 1

    Probably the line with over engineering is when you take more time to make security things instead of functionality. For avoid this I use always the same backend skeleton that is enough secure.

    A thing that I want to avoid is to put to many things in fact I use a vanilla or minimal framework setup, if the product is an MVP probably you don't need a big cloud service platform but could be good a simple node backend with a mongo db database for example.

    1. 1

      Yeah, good point. That's why I choose Firebase to do the quick prototype. I might concern too much over the securities over implementing functionalities. Thanks for your reply.

Trending on Indie Hackers
Hit 🎉 40K users 🎉 ahead of the launch 15 comments The one where writing books is not really a good idea 13 comments I build an awesome white-label product but I don't know who could need it. 8 comments 99 Designs and 2 Dribbble Designers Later I Have a Logo! 7 comments I got 3 offers to buy my product for $100k, $125k and $150k, rejected them and here's why it was the correct call 6 comments Straight No to Bootstrap after Tailwind! Is it only me? 5 comments