Fix guides
Security fixes, in plain English
30 step-by-step guides for the security issues we find most often in AI-built apps. Each one includes a copy-paste prompt for your AI coding tool.
- Critical
Exposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read guide - Critical
Exposed .git directory
An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.
Read guide - Critical
Supabase RLS disabled
A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.
Read guide - Critical
Exposed Supabase service key
The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.
Read guide - Critical
Firebase rules too permissive
Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.
Read guide - Critical
Hardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read guide - Critical
Exposed Stripe secret key
A leaked Stripe secret key means an attacker can charge your customers, refund payments, or drain your account. Rotate immediately.
Read guide - Critical
Exposed OpenAI API key
OpenAI keys in client code get drained fast — attackers use them to run expensive models on your bill. Here is how to lock it down.
Read guide - Critical
Exposed Anthropic key
Claude API keys (sk-ant-...) leaked in client code get drained like any other LLM key. Here is the fix.
Read guide - Critical
Exposed AWS credentials
AKIA-prefixed AWS keys in a client bundle are a top-severity incident. Here is how to rotate, audit blast radius, and prevent recurrence.
Read guide - High
Missing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read guide - High
Firebase config issues
The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.
Read guide - High
CORS credentials misconfiguration
Setting both Allow-Origin: * and Allow-Credentials: true is a dangerous misconfiguration. Here is why browsers block it and how to fix it correctly.
Read guide - High
Expired SSL certificate
An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.
Read guide - Medium
Missing HSTS header
HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.
Read guide - Medium
Missing X-Frame-Options
Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.
Read guide - Medium
Exposed source maps
Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.
Read guide - Medium
Exposed Next.js build files
Build artifacts like .next directory, BUILD_ID, or server-side bundles should not be publicly reachable. Here is how to lock them down.
Read guide - Medium
CORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read guide - Medium
Cookie missing Secure flag
Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.
Read guide - Medium
Cookie missing HttpOnly
HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.
Read guide - Medium
Cookie missing SameSite
SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.
Read guide - Medium
Missing SPF record
Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.
Read guide - Medium
Missing DMARC record
DMARC tells receiving mail servers what to do with email that fails SPF or DKIM — quarantine, reject, or nothing. Here is how to set it up.
Read guide - Medium
Missing DKIM record
DKIM signs your outgoing email so receivers can verify it was not tampered with. Here is how to enable it through your email provider.
Read guide - Medium
Weak SSL cipher
TLS 1.0, TLS 1.1, or weak ciphers like RC4 or 3DES are vulnerable. Here is how to force modern TLS on Vercel, Cloudflare, and self-hosted servers.
Read guide - Medium
Mixed content warnings
Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.
Read guide - Low
Missing X-Content-Type-Options
X-Content-Type-Options: nosniff stops browsers from guessing file types and executing uploads as scripts. Every site should send it — here is how.
Read guide - Low
Missing Referrer-Policy
Referrer-Policy controls how much URL information leaks when users click links out of your site. The default leaks too much. Here is what to set instead.
Read guide - Low
Missing Permissions-Policy
Permissions-Policy controls which browser features (camera, microphone, geolocation) your site and its iframes can use. Default-allow is unsafe — lock it down.
Read guide