[This post has a video]
If you’ve been keeping up with indie hacking goings on, you’d be aware of the Shipfast and Marc Louvion drama. I’m not here to analyse or take sides. And Marc has already responded gallantly.
But I want to say a few words about our responsibility as entrepreneurs and service providers. (BTW this is coming from over 20 years of professional software engineering experience, 5 years of building startups and a PhD in computer network security, so I’m not talking our of my arse).
Security is important
If you’re running a restaurant, would you want to make your customers sick from your food? If you’re selling cars, would you sell cars without locks?
It's the same with software. If you're building something that handles customer data, there’s a responsibility to ensure it’s safe. The good news is, you don’t need to be a security expert to do that.
"But you need to ship fast, fail fast, get traction…" Yes, solid advice. But security often gets left behind in the rush, especially when you’re a solo founder. Security seems like a huge, overwhelming topic.
It’s not Difficult
Securing your app doesn’t have to be hard. In fact, with modern frameworks, security is baked in.
Thousands of developers hours have gone into building, and securing, popular open source frameworks like Laravel, Django and Express. And these have been battle tested in the field against numerous attack attempts. Security holes are constantly being discovered and patched.
With modern frameworks, you don’t even have to think about security because they are often a core component of the framework.
With Laravel, for example, you get these security features out of the box:
- Form security: Laravel adds tokens to forms to Cross Site Request Forgeries.
- Password hashing: Even if a hacker gets into your database, they can’t see the passwords.
- Third-party logins: Want users to log in with Google or Facebook? Just enable it.
- SQL Injection protection: Laravel uses parameterized queries by default, protecting your database from SQL injection attacks.
- API Token authentication: If you’re exposing an API, authentication using tokens is already taken care of.
Most of these are things you don’t even have to spend a second setting up, but they save you a ton of headaches down the road.
Starter Kits and Security
A lot of indie hackers start with pre-built starter kits. And these can be great—they help you launch faster and focus on what matters. But one thing many of us don’t think about is whether these starter kits are secure. And honestly, it’s not your fault. Most of us aren’t security specialists, and neither are many of the people building these kits.
The truth is, security hasn’t always been front and center in our community. Many high-profile indie hackers have said they don’t even worry about it until they’ve gained traction. That makes sense—time is short, and the pressure to ship is real.
"But Pieter Levels said..."
You’ve probably heard stories like Pieter Levels’s—building entire businesses with just a single index.php file.
It’s inspiring, and it shows how much you can achieve with minimal resources. But here’s the catch: even those single-file setups need to be secure. Don't be fooled—Pieter secures his scripts.
And you're not Pieter Levels.
For my projects, I use Laravel, Tailwind, MySQL, and Nginx. It allows me to ship fast and have security built in. And it’s free.
But this is just my preference. And there are plenty of other great options out there.
For example, if you're more into JavaScript, you could use, Node.js, Express, and SQLite. Or if you're more comfortable with Python, you could use Django, FastAPI, PostgreSQL, and Gunicorn.
These tools are also widely used, secure, and have strong community support. The key is to pick the stack that works best for you and your skillset, while ensuring that security is a priority.
Takeaways for Indie Hackers
Buy starter kits if you want. But don’t overlook open source frameworks. It’s secure, it allows you to ship just as fast, and it’s free.
As indie hackers, we have a lot on our plates. We’re trying to build, launch, and grow—all with limited time and resources. Security can feel like a huge burden, but it doesn’t have to be.
No need to be an expert, no need to reinvent the wheel. Just use the tools that are already out there, and focus on shipping without drama.
Let’s keep pushing forward, moving fast, and yes, staying secure.
Have questions?
Want to know more about securing your app? Or have a question? You can reach me on X or LinkedIn.
Top comments (0)