🛡️ Cross-Site Scripting (XSS): The Bug That Hides in Plain Sight
XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.
Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.
XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.
SQL injection is still the most common way Django apps get breached in 2026 — almost always through .raw(), .extra(), or a stray f-string, never through the ORM itself.
AI coding assistants are excellent at making code that runs. They're not evaluating whether it's safe to expose to the internet — that part is still on you.
JWTs are self-contained by design, which is exactly what makes a handful of small implementation mistakes turn into full authentication bypasses.
The OWASP Top 10 gets cited constantly in security tooling, but most of it reads like a compliance checklist. Here's what each category actually means for the code you write day to day.
Setting Access-Control-Allow-Origin to * is the fastest way to silence a CORS error during development — and one of the easiest security decisions to forget to undo.
It's the single most common finding in almost every codebase we scan. Not because developers don't know better, but because the environment-variable version is one extra step slower during a demo.
pickle.load() doesn't just read data back into memory — for untrusted input, it can execute arbitrary Python as a side effect of loading it.
Almost every Django developer has typed {% csrf_token %} without stopping to ask what it's actually defending against, or what @csrf_exempt quietly removes.