Blog

Notes on shipping secure code

Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.

🛡️ Cross-Site Scripting (XSS): The Bug That Hides in Plain Sight

XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.

🛡️ A Practical Guide to Preventing SQL Injection in Django

SQL injection is still the most common way Django apps get breached in 2026 — almost always through .raw(), .extra(), or a stray f-string, never through the ORM itself.

🛡️ Why AI-Generated Code Needs a Security Pass Before It Ships

AI coding assistants are excellent at making code that runs. They're not evaluating whether it's safe to expose to the internet — that part is still on you.

🛡️ JWT Authentication: The Mistakes That Undo the Whole Point

JWTs are self-contained by design, which is exactly what makes a handful of small implementation mistakes turn into full authentication bypasses.

🛡️ OWASP Top 10, Explained for Working Developers

The OWASP Top 10 gets cited constantly in security tooling, but most of it reads like a compliance checklist. Here's what each category actually means for the code you write day to day.

🛡️ CORS Misconfiguration: What Access-Control-Allow-Origin: * Actually Costs You

Setting Access-Control-Allow-Origin to * is the fastest way to silence a CORS error during development — and one of the easiest security decisions to forget to undo.

🛡️ Why Hardcoded API Keys Keep Ending Up in Production

It's the single most common finding in almost every codebase we scan. Not because developers don't know better, but because the environment-variable version is one extra step slower during a demo.

🛡️ Insecure Deserialization in Python: Why pickle.load() Can Run Arbitrary Code

pickle.load() doesn't just read data back into memory — for untrusted input, it can execute arbitrary Python as a side effect of loading it.

🛡️ CSRF Protection in Django: What It Actually Does

Almost every Django developer has typed {% csrf_token %} without stopping to ask what it's actually defending against, or what @csrf_exempt quietly removes.

Page 1 of 2 Next →