Enterprise Security at $50/Month: PKCE, XSS, CORS

Security in the CRM world has a pricing problem. The features that actually protect your data — SSO, audit logs, role-based access, encryption — are typically locked behind enterprise tiers that cost $150-300 per user per month. For a small sales team, that's a choice between real security and paying rent.

At SalesSheet, we decided that was wrong. Security isn't a premium feature. It's a baseline requirement. Every layer of protection we've built is available to every user at every pricing tier, starting at $50 per month.

Here's what that actually includes and how we implemented each layer.

Layer 1: PKCE Authentication

PKCE (Proof Key for Code Exchange, pronounced "pixy") is the modern standard for OAuth 2.0 authentication in single-page applications. It solves a fundamental problem with traditional OAuth flows: the authorization code can be intercepted in transit.

Here's how it works. When you log in to SalesSheet, the browser generates a random cryptographic string called a "code verifier." It creates a hashed version called a "code challenge" and sends that to the auth server. When the auth server returns the authorization code, the browser proves its identity by sending the original code verifier. If the hash matches, the token is issued. If it doesn't, the request is rejected.

This means that even if someone intercepts the authorization code (through a man-in-the-middle attack or a malicious browser extension), they can't use it without the code verifier — which never leaves the browser. It's crypto-grade authentication that costs nothing extra to implement but dramatically improves security.

Layer 2: XSS Protection With DOMPurify

Cross-site scripting (XSS) attacks remain one of the most common web vulnerabilities. In a CRM context, they're especially dangerous because your data contains names, emails, and company information that users type in — any of which could contain malicious scripts.

Imagine a contact whose company name is set to a script injection. Without sanitization, when another user views that contact, the script executes in their browser. It could steal their session token, redirect them to a phishing page, or exfiltrate CRM data.

We use DOMPurify to sanitize every piece of user input before it's rendered in the DOM. DOMPurify is a well-tested, extensively audited library that strips malicious HTML while preserving safe formatting. Every contact name, every email body, every note, every custom field — all sanitized before render.

This isn't just about blocking obvious script tags. DOMPurify handles edge cases that basic sanitizers miss: event handlers in attributes, SVG-based injection, template injection, and dozens of other vectors. The same attention to detail we bring to our UI polish extends to our security posture.

Layer 3: CORS Allowlisting

Cross-Origin Resource Sharing (CORS) controls which domains can communicate with your API. Without strict CORS configuration, any website could make requests to your CRM's backend, potentially accessing or modifying data.

SalesSheet maintains a strict allowlist of approved origins. Only our production domain and authorized development environments can make API requests. Everything else is rejected at the network edge, before it ever reaches the application layer.

This is a simple protection, but it's one that many small CRM tools get wrong. A misconfigured CORS policy (or worse, a wildcard policy that allows all origins) is an open door for cross-site request forgery attacks. Our allowlist is explicit, reviewed regularly, and enforced at both the CDN and API levels.

Layer 4: Server-Side AI Processing

This is where most AI-powered CRMs cut corners. When your CRM uses AI features — chat, enrichment, email drafting — those AI model calls require API keys. The question is: where do those calls happen?

If AI calls happen client-side (in the browser), the API keys must be present in the frontend code. Anyone who opens browser developer tools can see them. This is a security nightmare. A leaked AI API key can be used to make thousands of dollars in unauthorized API calls.

SalesSheet processes every AI interaction server-side. When you send a message to the AI chat, your request goes to our server, which calls the AI model and returns the response. The API keys never touch the browser. There's no prompt leakage, no key exposure, no way for a client-side attacker to abuse your AI quota.

Layer 5: Row-Level Security

Row-Level Security (RLS) is the database-level guarantee that users can only access data belonging to their organization. It's implemented as a PostgreSQL policy that automatically filters every query based on the authenticated user's organization ID.

This means that even if there's a bug in the application code that fails to filter by organization, the database itself enforces the boundary. RLS is the last line of defense against data leakage between tenants. It's the kind of protection that enterprise CRMs charge thousands for, and we consider it non-negotiable.

Why Security Shouldn't Be a Paid Upgrade

The CRM industry's pricing model treats security as a luxury. Need SSO? Pay for Enterprise. Need audit logs? Pay for Enterprise. Need compliance features? You guessed it — Enterprise tier.

This creates a perverse incentive where the smallest businesses — the ones least likely to have a security team reviewing their tools — end up with the weakest protections. They're the most vulnerable and the least protected.

Every security feature we've described in this post is available at our $50/month price point. We believe that the size of your budget shouldn't determine the size of your attack surface. Whether you're a solo founder or a 50-person team, your contact data deserves the same level of protection.

"Security is not a feature. It's a foundation. You don't charge extra for the locks on the door."

That's the principle behind how we build SalesSheet. Every layer — PKCE, XSS, CORS, server-side AI, RLS — is built in from day one, tested continuously, and available to everyone. No enterprise tier required.