Blog

Notes on shipping secure code

Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.

🛡️ A Practical Guide to Preventing SQL Injection in Django

SQL injection is still the most common way Django apps get breached in 2026 — almost always through .raw(), .extra(), or a stray f-string, never through the ORM itself.

🛡️ CSRF Protection in Django: What It Actually Does

Almost every Django developer has typed {% csrf_token %} without stopping to ask what it's actually defending against, or what @csrf_exempt quietly removes.