Blog

Notes on shipping secure code

Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.

🛡️ Cross-Site Scripting (XSS): The Bug That Hides in Plain Sight

XSS survives because it looks harmless in the editor — it only becomes obvious once someone else's browser runs your attacker's script instead of your app.

🛡️ CORS Misconfiguration: What Access-Control-Allow-Origin: * Actually Costs You

Setting Access-Control-Allow-Origin to * is the fastest way to silence a CORS error during development — and one of the easiest security decisions to forget to undo.

🛡️ Why Hardcoded API Keys Keep Ending Up in Production

It's the single most common finding in almost every codebase we scan. Not because developers don't know better, but because the environment-variable version is one extra step slower during a demo.

🛡️ Secure Password Storage: Beyond Just Hashing

"We hash passwords" isn't actually a complete answer. Which algorithm, how it's salted, and how comparisons happen all matter just as much as the fact that hashing happens at all.