The blog

Teardowns, patterns, and fixes from real audits.

New post every Tuesday and Friday. We name failure modes, show the broken code AI tools actually generate, and link to the eight-line fixes. Subscribe via RSS.

  1. 01
    security ·

    Our reference Lovable app leaked every user's data. The culprit was an off-by-default Supabase setting.

    A war story from one of our reference apps: how a Lovable-built SaaS shipped with Supabase Row-Level Security disabled, why we didn't see it immediately, and what the three-policy fix actually looks like.
  2. 02
    security ·

    Anyone Can Forge Your Stripe Webhooks. Here's the 8-Line Fix.

    AI code generators consistently ship Stripe webhook handlers without signature verification. Here's why, what the bug looks like, and the exact code to fix it.