Practical website security, explained
The issues our scanners find every day — exposed secrets, missing headers, open databases, spoofable email — in plain language, with fixes you can ship. No fear-mongering; attackers automate, so every gap matters.
Start here · guides · 6 min read
The Website Security Checklist for AI-Built Apps (2026)
Shipped an app with Cursor, Lovable, Bolt or v0? Run this 12-point security checklist before your users — or an attacker — find what you missed.
Read the checklistexposure · Jul 10, 2026
Exposed .env and .git Files: The #1 Way Websites Leak Secrets
An exposed .env or .git folder hands attackers your database credentials and API keys. Learn how it happens, how to check, and how to fix it.
5 min readsecrets · Jul 10, 2026
API Keys in Your JavaScript Bundle: How to Find and Fix Them
Anything in your frontend JavaScript is public. Learn which API keys are safe to ship, which never are, and how to find leaks in your built bundle.
6 min readbackend · Jul 10, 2026
Supabase Security: RLS, Anon Keys, and the service_role Mistake
Your Supabase anon key is meant to be public — RLS is the real gate. Learn the two mistakes that expose your entire database and how to fix them.
6 min readheaders · Jul 10, 2026
HTTP Security Headers Explained: CSP, HSTS, and the Rest
Plain-English guide to HTTP security headers: CSP, HSTS, X-Frame-Options and more — recommended values, checks, and copy-paste fixes for your platform.
7 min readtls · Jul 10, 2026
SSL/TLS Mistakes That Still Break Websites in 2026
Expired certs, legacy TLS 1.0, weak ciphers, missing HTTPS redirects — the SSL/TLS mistakes that still take sites down in 2026, and how to fix each one.
7 min readcookies · Jul 10, 2026
Cookie Security: Secure, HttpOnly, and SameSite Explained
What Secure, HttpOnly, and SameSite actually do, why session cookies need them, and how to set cookie flags correctly in any framework.
7 min readdns · Jul 10, 2026
SPF, DKIM, DMARC: Stop Attackers From Sending Email as Your Domain
Without SPF, DKIM, and DMARC, anyone can send email as your domain. A plain-words guide to email authentication, with example records and a rollout plan.
7 min readdns · Jul 10, 2026
Subdomain Takeover: The Forgotten DNS Record That Hands Over Your Domain
A CNAME pointing at a deleted cloud service lets someone else publish content on your subdomain. How takeovers happen, how to check, how to fix.
6 min readcors · Jul 10, 2026
CORS Misconfigurations: When Access-Control-Allow-Origin Goes Wrong
Most CORS 'fixes' quietly open your API to every website. What the headers mean, the dangerous patterns, and safe configs for Next.js and Express.
6 min read