Your application is vulnerable, and you don't even realize it.
Hackers have special vision. They don't see websites the way others do.
If you don't understand that, your defenses are useless.
Let me show you ๐๐งต
@JerDykNotion Finish the whole chain before calling it quits (do the marketing, do the copywriting, do the CRO, do the sales calls...).
I wouldn't care if it was successful or not. I would care more about learning the skills I mentioned above.
To be honest, I tried codex for a little bit, and I was surprized by how little vulnerabilities it produced.
The main issue with AI code is that it doesn't get context. Especially if you five it an existing project and then tell it to add features. If you don't tell it who should be able to do what, it introduces logical vulnerabilities.
Didn't get around to test other AI solutions though. I'm curious to hear your experience.
We don't hire "performance specialists" to avoid infinite loops.
Security is the same.
It's not a job title. It's a baseline skill every developer should own.
"We'll do a security audit before launch". No, you won't.
You'll launch. Get busy. Delay the audit. Ship the next feature.
Security is not a pre-launch checklist. It's a habit.
Junior devs don't make security mistakes. Untrained devs do.
The junior dev who pushed AWS credentials to a public repo wasn't careless.
Nobody showed him why it mattered. No .gitignore. No pre-commit hook. No onboarding.
Blame the system, not the person.
One XSS vulnerability. Every user session gone.
localStorage is convenient for JWTs.
It's also readable by any JavaScript on your page.
If an attacker can inject JS code, he'll be able to steal all the users' sessions.
httpOnly cookies can't be touched by JS. Use them instead.
The one-liner that turns your login form into real auth.
If a user can attempt your login form 10 000 times without hitting a wall, you don't have auth. You have a suggestion.
Rate limiting. Add it.
Your framework is not your security team.
React escapes your output. Laravel sanitizes your queries. That's it.
Broken access control, business logic flaws, insecure APIs. Your framework has no idea those exist.
Thinking you're covered is worse than knowing you're not.
Your logs are trying to tell you something.
Most breaches show up in the error logs before anyone notices.
Failed logins at 3am. Unexpected 500s on the payment endpoint. The same IP hitting every admin route.
The devs who read logs catch it first.
Are you one of them?
Learning web security ruins you. In a good way.
Me before learning web security: "nobody's targeting my app"
Me after: rate limiting on the contact form
"We have SSL so we're safe." No, you're not.
HTTPS means the envelope is sealed. Not that what's inside is safe.
SQL injection, XSS, broken auth... None of it cares about your SSL cert.
Your login page is being scanned right now.
"My site is too small to be hacked."
Bots don't care about your size. They scan millions of URLs looking for unprotected login pages. Yours included.
No rate limiting? You're already being probed.