The blog

Teardowns and fixes from real audits.

New post every Tuesday and Friday. We name the failure mode, then show the broken code AI ships and link the fix. Subscribe via RSS.

  1. 01
    security ·

    Our Lovable app leaked every user's data on day one

    How a Lovable-built SaaS shipped with Supabase RLS disabled, why we didn't see it immediately, and what the three-policy fix looks like.
  2. 02
    security ·

    Anyone Can Forge Your Stripe Webhooks. Here's the 8-Line Fix.

    AI code generators consistently ship Stripe webhook handlers without signature verification. Here's why, what the bug looks like, and the exact code to fix it.