Node.js Security Engineer — Harden Multi-Tenant SaaS for Production Launch

We're a multi-tenant real estate SaaS platform (Node.js / Express, Supabase/PostgreSQL, Stripe) preparing to launch to 500+ paying users. We've already run our own security audit and know what needs fixing — we need an experienced engineer to harden the app and get it production-ready. This is a finite, well-scoped engagement, not an open-ended build. You'll be working from a documented list of findings. WHAT NEEDS TO BE DONE: - Lock down authentication/authorization: ensure every API route enforces auth (currently many do not) and that object-level access is checked on every request (BOLA prevention) - Multi-tenant data isolation: verify and harden PostgreSQL Row-Level Security scoped by org_id, with a middleware backstop so a single bug can't leak cross-tenant data - Fix a static-file serving misconfiguration that currently exposes server-side files - Remove hardcoded secret fallbacks; enforce proper environment-variable handling - Implement per-user rate limiting (including on expensive AI endpoints to prevent cost-exhaustion abuse) - Lock down CORS, add security headers (CSP, HSTS), reduce request body limits - Build an automated cross-tenant test suite that proves one tenant cannot access another's data - Review and confirm Stripe webhook handling and billing security - Help finalize deployment to production REQUIRED EXPERIENCE: - Demonstrable production security work on Node.js/Express APIs - Hands-on multi-tenant SaaS architecture with PostgreSQL Row-Level Security - Familiarity with the OWASP API Security Top 10 - Supabase Auth (JWT/JWKS verification) - Experience taking an app from "works" to "production-hardened and safe for real customer data" HOW TO APPLY: In your first message, briefly tell us: what's the difference between authentication and authorization, and why is broken object-level authorization (BOLA) one of the most common API vulnerabilities? (We want to know you actually do this work — please don't send a generic proposal.) This is a milestone-based engagement. We'll start with a scoping call to walk through our audit findings together.