A web application is different from a website. Most developers build one or the other.
Web applications have user authentication, persistent data, real-time state, and business logic that runs on a server. A developer who builds marketing websites and a developer who builds web applications use entirely different skill sets. We build web applications. Fixed scope, fixed price.
You need a developer who builds real web applications — not someone who will try to stretch a website builder into a product with users, data, and complex logic.
The distinction between a website and a web application matters for developer selection. A website is primarily content delivery — pages that render HTML for visitors. A web application is a software product that runs in a browser — it has users who authenticate, data that persists between sessions, state that updates in real time, and business logic that runs on a server and is protected from manipulation.
Website developers and web application developers have different skill sets and different toolchains. A website developer who is excellent at performance-optimised HTML/CSS/JS delivery, CMS integration, and landing page conversion optimisation may have limited experience with authentication systems, database design, API security, and the failure modes of stateful server-side logic. Hiring the wrong type of developer for a web application is a common and expensive mistake — the person produces something that looks like a web application but lacks the security, scalability, and correctness properties of a real one.
The technical indicators of a web application that was built by someone without web application experience: authentication implemented with local storage (vulnerable to XSS) rather than httpOnly cookies; API endpoints that don't validate the requesting user's permissions (any authenticated user can access any user's data by guessing the ID); database queries that run N+1 patterns that collapse under load; and error states that expose raw database errors to the user (leaking schema information to potential attackers).
A production web application with authentication, a robust data layer, business logic implemented correctly server-side, and the deployment infrastructure to handle real traffic.
Server-side authentication
Clerk for user management with session tokens validated server-side on every API request. No client-side authentication state as the single source of truth — the server validates the session on every request. CSRF protection, XSS protection, and secure cookie configuration.
Authorisation and access control
Every API endpoint validates not just that the user is authenticated, but that they are authorised to access the specific resource being requested. Row-level security in Postgres for data layer enforcement. Role-based access control for multi-user applications with different permission levels.
Data layer
PostgreSQL with appropriate schema design, indexes for query performance, foreign key constraints for referential integrity, and database migrations managed in version control. Type-safe database access via Drizzle ORM.
Server-side business logic
Business logic implemented server-side in API routes — not in client-side JavaScript that can be inspected and manipulated. Validation on every input. Rate limiting on sensitive endpoints. Idempotency for operations that must not be duplicated (payment processing, email sending, order creation).
Real-time capabilities where needed
WebSocket connections for live collaborative features, real-time notifications, or live data dashboards. Server-Sent Events for one-way real-time updates (activity feeds, live counts). The correct tool for the required update pattern.
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
A production web application with authentication, a robust data layer, business logic implemented correctly server-side, and the deployment infrastructure to handle real traffic.
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
A web application has a defined feature set, a defined data model, and defined security requirements. Fixed scope, fixed price — with the security and correctness properties specified as part of the scope.
Related engagements.
The Next.js developer you're searching for on LinkedIn is probably not available. This one is.
Read more02You have the SaaS idea. We build the production MVP while you close your first customers.
Read more03No-code tools are the right starting point. Custom development is the right endpoint.
Read moreQuestions, answered.
No-code tools like Bubble abstract away the server-side implementation, which makes them accessible to non-technical builders. The cost is a data model and business logic layer that can't be audited, can't be migrated, and can't be extended beyond what the platform's abstraction allows. A custom web application gives you a codebase you own, a database schema you control, and the ability to extend or migrate to any platform at any point.
Yes — integration with existing databases (read-only or read-write), existing REST or GraphQL APIs, webhooks from third-party systems, and data import from CSV or external systems are common project components. The integration scope is defined upfront.
Security is a baseline requirement, not an optional feature. Every application includes: HTTPS enforcement, input validation and sanitisation, SQL injection prevention via parameterised queries, XSS prevention via React's default DOM escaping, CSRF protection, rate limiting on authentication and sensitive endpoints, and error handling that never exposes internal implementation details in production.
A production web application with auth, 4–8 features, integrations, and deployment typically runs $25k–$65k. Complex business logic, advanced real-time features, and regulatory compliance requirements add to the scope. Fixed-price.
8 to 14 weeks from specification to production deployment.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.