What can a stranger see on your site?
Real explanations of what you expose without meaning to, what an attacker does with it, and the one-line fix for each. No jargon for its own sake, no scare tactics, just what's actually reachable from outside.
The secrets hiding in your JavaScript
API keys, tokens, and credentials that shipped to the browser by accident.
12 articlesThe files you forgot you deployed
The .env, the backup, the .git folder anyone can download with a URL.
15 articlesWhat an attacker sees before they touch your site
Everything an outsider learns about you without sending a single malicious request.
11 articlesThe admin panel you left unlocked
phpMyAdmin, Grafana, debug toolbars, and error pages open to the world.
13 articlesHTTPS, TLS, and the headers that protect your visitors
Redirects, certificates, CSP, cookies, and CORS done right.
12 articlesEmail spoofing and DNS you never configured
SPF, DMARC, CAA, and the dangling subdomain someone can claim.
8 articlesOutdated and unverified code on your pages
Old libraries with public exploits, and third-party scripts with no integrity check.
8 articlesShipping fast without shipping holes
A founder's playbook for catching this before your first user does.
6 articles