Skip to content
Blog

Practical website security, explained

The issues our scanners find every day — exposed secrets, missing headers, open databases, spoofable email — in plain language, with fixes you can ship. No fear-mongering; attackers automate, so every gap matters.

Start here · guides · 6 min read

The Website Security Checklist for AI-Built Apps (2026)

Shipped an app with Cursor, Lovable, Bolt or v0? Run this 12-point security checklist before your users — or an attacker — find what you missed.

Read the checklist

exposure · Jul 10, 2026

Exposed .env and .git Files: The #1 Way Websites Leak Secrets

An exposed .env or .git folder hands attackers your database credentials and API keys. Learn how it happens, how to check, and how to fix it.

5 min read

secrets · Jul 10, 2026

API Keys in Your JavaScript Bundle: How to Find and Fix Them

Anything in your frontend JavaScript is public. Learn which API keys are safe to ship, which never are, and how to find leaks in your built bundle.

6 min read

backend · Jul 10, 2026

Supabase Security: RLS, Anon Keys, and the service_role Mistake

Your Supabase anon key is meant to be public — RLS is the real gate. Learn the two mistakes that expose your entire database and how to fix them.

6 min read

headers · Jul 10, 2026

HTTP Security Headers Explained: CSP, HSTS, and the Rest

Plain-English guide to HTTP security headers: CSP, HSTS, X-Frame-Options and more — recommended values, checks, and copy-paste fixes for your platform.

7 min read

tls · Jul 10, 2026

SSL/TLS Mistakes That Still Break Websites in 2026

Expired certs, legacy TLS 1.0, weak ciphers, missing HTTPS redirects — the SSL/TLS mistakes that still take sites down in 2026, and how to fix each one.

7 min read

cookies · Jul 10, 2026

Cookie Security: Secure, HttpOnly, and SameSite Explained

What Secure, HttpOnly, and SameSite actually do, why session cookies need them, and how to set cookie flags correctly in any framework.

7 min read

dns · Jul 10, 2026

SPF, DKIM, DMARC: Stop Attackers From Sending Email as Your Domain

Without SPF, DKIM, and DMARC, anyone can send email as your domain. A plain-words guide to email authentication, with example records and a rollout plan.

7 min read

dns · Jul 10, 2026

Subdomain Takeover: The Forgotten DNS Record That Hands Over Your Domain

A CNAME pointing at a deleted cloud service lets someone else publish content on your subdomain. How takeovers happen, how to check, how to fix.

6 min read

cors · Jul 10, 2026

CORS Misconfigurations: When Access-Control-Allow-Origin Goes Wrong

Most CORS 'fixes' quietly open your API to every website. What the headers mean, the dangerous patterns, and safe configs for Next.js and Express.

6 min read