Custom Web Application Development

Production web applications engineered off the happy path. Auth, data integrity, permissions, and failure states are built from the first slice — because real traffic finds every gap the demo skipped.

Norseson builds custom web applications that do not rely on the happy path. Most web apps work in the demo. The difference shows up later: the double-click that charges twice, the URL that exposes another user’s data, the deploy that eats a table.

One lab, one protocol. Scope is mapped before code is written, the build ships in small auditable slices, and every irreversible action gets a failure test before launch.

What We Build

Production dashboards

Operational views over live data: metrics, queues, alerts. Built to stay correct when the data is late, partial, or wrong.

Client-facing platforms

Platforms your customers log into. Session handling, permissions, and tenant boundaries are tested before anyone outside the lab touches them.

SaaS products

Multi-tenant products from first commit to paying users. Billing, roles, and data isolation are architecture decisions, not a later milestone.

Booking & payment flows

Flows where money moves and double-charges are unacceptable. Idempotent by design and reconciled against the payment provider, never trusting the client.

Admin panels

The high-privilege surface where one wrong click matters. Every destructive action is logged, confirmed, and reversible where physics allows.

Offline-capable PWAs

Mobile-first apps that capture input on flaky networks. Writes queue locally and sync with conflict handling, so field data survives the dead zone.

How Web Apps Fail

These are the defects that surface after launch, in production, with real users. Each one has a defense that is designed in from the start — none can be bolted on after the incident.

DUPLICATE_SUBMISSION

A user double-clicks submit, or a flaky network retries the request. Two orders, two charges, two records.

Counter: Every mutating endpoint accepts an idempotency key. The disabled button is a courtesy; the server-side dedupe is the defense.

STALE_CLIENT_STATE

The browser renders data that changed minutes ago. The user edits it, and the write lands on top of someone else’s.

Counter: Writes carry a version. The server rejects updates against stale state instead of silently overwriting, and the client revalidates on focus.

BROKEN_PAYMENT_FLOW

The charge succeeds but the order never saves. The customer paid and holds nothing.

Counter: Provider webhooks are the source of truth, not the redirect. A reconciliation job compares charges to records and flags any orphan within minutes.

PERMISSION_LEAK

A regular user constructs a URL and reaches an admin mutation. The framework allowed it because only the menu was hidden.

Counter: Authorization is enforced at the data layer — row-level security plus route guards — and every role-endpoint pair has a test that tries to break in.

DATA_LOSS_ON_DEPLOY

A deploy runs a migration that drops or rewrites live rows. The backup exists; the restore has never been run.

Counter: Migrations follow expand-and-contract, destructive steps ship separately from code, and restores are rehearsed before launch — not during the incident.

UNHANDLED_FAILURE_STATE

A fetch fails and the page renders blank. The user retries blind, or leaves.

Counter: Loading, empty, and error states are designed in the prototype phase. Every remote call has a defined failure rendering and a retry path.

These are not edge cases. They are the default behavior of web applications that were only tested on the happy path.

Build Protocol

01

Discovery & Risk Mapping

Define the product, users, data, permissions, and irreversible actions. Output is scope and a failure map.

1-2 wk
02

Prototype & Architecture

Core UX, database shape, API boundaries, deployment plan. Tradeoffs are decided here, on paper, where they are cheap.

1-3 wk
03

Build & Verify

Small auditable slices. Permissions, persistence, edge cases, and failure states are tested as they ship, not at the end.

3-10 wk
04

Launch & Harden

Production deploy, monitoring, recovery runbooks, security boundaries tightened against real traffic.

1-2 wk
05

Iterate

Real usage drives the roadmap: fixes, hardening, new capability. Most clients keep a monthly retainer here.

Ongoing
Read the full protocol →

Stack

frontend

Next.js, React, TypeScript

App Router, server components, typed end to end.

backend

Node

Server actions and API routes. Explicit contracts at every boundary.

data

PostgreSQL / Supabase

Row-level security, migrations under version control, tested restores.

infra

Vercel / managed infra

Monitoring and alerting from launch day, not after the first incident.

Constraint:

The stack is deliberately boring. Proven tools fail in documented ways; novel infrastructure fails during your incident. New technology enters a build when it removes risk, not when it is interesting.

Questions

How much does a custom web application cost?
Most Norseson builds land between $10k and $50k+, depending on scope, integrations, and the failure modes the system has to survive. Complex platforms go beyond that. Scope is priced after Discovery, not guessed on a call. Read the cost breakdown
How long does a custom web application take to build?
The build phase runs 3-10 weeks. The full lifecycle — Discovery through Launch & Harden — typically lands between 6 and 16 weeks, depending on scope and integration count.
Do you work with existing codebases?
Yes. Discovery includes a technical review of what exists: architecture, data model, permission boundaries, and the failure modes already in production. The plan builds on what is sound and replaces what is not.
Who owns the code?
You do. Full repository handover, infrastructure under your own accounts, documentation for whoever maintains it next. No lock-in by design.
What stack do you use?
Next.js, React, and TypeScript on the frontend; Node on the backend; PostgreSQL or Supabase for data; deployed on Vercel or managed infrastructure. Boring, proven, and documented — chosen so the system outlives the engagement.
Do you offer retainers after launch?
Yes. The Iterate phase is ongoing by design, and most clients keep a monthly retainer for hardening, new features, and monitoring. The system keeps an owner after launch.

Scope, risks, and cost are defined in Discovery — before any code is written. The first step is a conversation about your system.