Project: Beta-Stage Web Application Security Setup Role Needed: Web Application Security Engineer Project Overview I’m preparing a coaching-based web platform for public beta and need an experienced professional to implement industry-standard security best practices suitable for handling sensitive user data. The application is built using a modern low-code/no-code frontend with Supabase as the primary backend and database. Custom SQL integrations via secure APIs are possible if needed. Objective Prepare the platform for public beta by implementing professional, scalable security foundations that: Protect user and client data Build trust with end users Lay groundwork for future enterprise compliance (SOC 2 / ISO later — not required now) Scope of Work (Deliverables) 1. Transport & Data Security Ensure HTTPS / SSL is correctly enforced site-wide Verify encryption in transit and at rest Review Supabase security configuration and recommend improvements Ensure no sensitive data is stored in plain text 2. Authentication & Access Control Review and harden authentication setup Enforce strong password policies Implement session expiration / timeout handling Configure role-based access control: Coaches can access only their own clients Clients can access only their own data Admin access follows least-privilege principles Optional (bonus): Enable MFA for coaches 3. User Data Ownership & Controls Implement or verify: Account deletion (soft delete acceptable for beta) Basic data export (manual process acceptable) Ensure strict separation between: Coach data Client data Platform/admin data 4. Privacy & Compliance Foundations Create or review a Privacy Policy covering: Data collected Purpose of data usage Storage location (cloud infrastructure / Supabase) User rights (access, deletion) Beta-stage disclaimer Ensure GDPR-aligned data handling practices (No formal certification required) 5. Security Hygiene & Operations Ensure no hard-coded secrets or exposed API keys Configure regular database backups (weekly minimum) Enable basic logging for: Login attempts Critical actions (account deletion, role/permission changes) Out of Scope (Important) This project does not require: SOC 2 or ISO 27001 certification HIPAA compliance or legal documentation Expensive penetration testing Over-engineered custom authentication systems Optional Advanced Task Advise on or implement secure custom SQL integrations via APIs (for Supabase replacement or hybrid architectures, if needed) Ideal Freelancer Profile Strong experience with web application security Experience with Supabase, SQL databases, or modern backend stacks Comfortable working with low-code / no-code platforms Able to explain security decisions in clear, non-technical language Experience with beta-stage or early-stage products Expected Outcome A secure, public-beta-ready platform A short written summary explaining: What was implemented Any remaining risks What should be improved post-beta Timeline 7–14 days preferred (open to discussion)