Guides
Practical walk-throughs for the vulnerabilities we catch most often in AI-built Next.js + Supabase apps. Each guide covers what the bug is, a working exploit, the fix, and how Securie catches it automatically.
Supabase RLS misconfiguration — detect, exploit, and fix
Row-Level-Security bypass is the most common data leak in vibe-coded apps. Here is exactly how it happens, how attackers find it, and how to fix it in Next.js + Supabase with one policy update.
Broken Object-Level Authorization (BOLA) in Next.js apps
BOLA is the top item on the OWASP API Security Top 10 for a reason — every AI coding assistant introduces it by default. Learn what it looks like in Next.js, how to exploit it, and how to fix it.
Insecure Direct Object Reference (IDOR) — what it is and how to prevent it
IDOR is the classic name for an authorization bug where a user can change an ID in a URL and access data they should not see. It is BOLA's older cousin and still ships in half of all new apps.
Leaked API keys in Next.js — the most common vibe-coded mistake
Every week founders tweet about their OpenAI bill going from $10 to $10,000 overnight. Usually the cause is an API key committed to a public repo. Here is why it happens in Next.js specifically and how to stop it in five minutes.
Prompt injection in AI apps — how attackers hijack your agents
Your AI chatbot or tool-using agent can be tricked into leaking data, calling the wrong tools, or taking destructive actions — often through a single crafted email or document. Here is how prompt injection works and how to defend.
Vibe coding security risks — the 2026 field guide
Vibe coding (AI-generated apps shipped with minimal human review) has a security problem. Here is a grounded look at what actually breaks, with dated public incidents, and the controls that work.
Rate limiting in Next.js — the correct way in 2026
Unlimited API endpoints are how $150K OpenAI bills happen. Here is how to add proper rate limiting to a Next.js app using Vercel Edge Middleware, Upstash, or your existing Redis.
Webhook signature verification — Stripe, GitHub, Clerk, everyone
If your webhook endpoint skips signature verification, an attacker can trigger any downstream action you code — refunds, subscription changes, user upgrades. Here is how to verify signatures correctly for the five most common webhook providers.
CORS misconfiguration — how `Access-Control-Allow-Origin: *` breaks your app
CORS is one of the most misunderstood security headers. Here is exactly when `*` is safe, when it is catastrophic, and how to configure CORS correctly for a Next.js + Supabase stack.
Secure cookies in Next.js — HttpOnly, Secure, SameSite explained
Misconfigured cookies are how session tokens leak. Here is exactly which flags to set for session, CSRF, and preference cookies in a Next.js app.
Secure file uploads in Next.js — content type, size, storage, serving
File uploads are the most commonly mis-handled feature in AI-built apps. Here is the five-step pattern for uploading user files safely.
SSRF prevention in Node.js — validate the resolved IP, not the URL string
SSRF (Server-Side Request Forgery) is how attackers reach your cloud metadata service and internal APIs through your public endpoints. Here is the correct defense.
SQL injection prevention in Node.js — parametrize everything
SQL injection is a solved problem — and AI coding assistants keep re-introducing it. Here are the exact patterns to watch for in Prisma, Supabase, Drizzle, and raw pg.
CSRF protection in Next.js — when you need it, when you don't
Next.js App Router apps often skip CSRF protection because they think SameSite cookies are enough. They are not always enough. Here is the specific rule.
XSS in React — dangerouslySetInnerHTML and the specific bugs we see
React escapes interpolations by default, which eliminates 95% of XSS. The remaining 5% kills apps. Here are the exact patterns that slip through.
JWT verification — the five ways apps get it wrong
JWTs are only as secure as your verification. Missing issuer check, missing expiration check, `alg: 'none'`, and algorithm confusion all still ship in AI-generated code.
Secrets management — where to actually store your API keys
Not in .env files. Not in localStorage. Here is the 2026 guide to storing and accessing secrets in a small-team Node.js / Python app.
Security headers for Next.js — CSP, HSTS, and the full list
A complete reference for the security headers your Next.js app should ship with. Configured via next.config.mjs in minutes.
OAuth + OIDC security — the PKCE and state checks you cannot skip
Most OAuth bugs come from skipping PKCE, ignoring state, or accepting tokens issued for a different client. Here is the correct implementation in a Next.js + NextAuth app.
Password hashing — Argon2id is the answer, here is how
If you still store passwords, you must hash them with a memory-hard function. Here is how to configure Argon2id correctly in a Node.js or Python backend.
API key rotation — how to rotate without downtime
Rotating an API key without taking your app down requires a specific dual-read single-write sequence. Here is the exact pattern.
Session security — revocation, idle timeout, rotation
A logged-in user is a trust decision you made at login. Sessions need explicit policies for idle timeout, absolute timeout, revocation, and rotation.
GDPR for indie SaaS — the minimum viable compliance playbook
You're a one-person SaaS with a handful of EU customers. Do you need to be GDPR compliant? Yes. Here's the minimum viable version — what to collect, what to publish, what to skip until you're bigger.
EU AI Act for AI-built apps — what to ship before August 2026
The EU AI Act's second enforcement wave lands August 2026. If your product uses a large language model — directly or via a wrapper — here is what you need to publish, document, and do before the deadline.
CCPA / CPRA for SaaS — what you actually have to do
California's privacy law applies to any SaaS that has a paying Californian customer. Here's the minimum viable compliance checklist, written for founders who've never done it before.
HIPAA for startups — when you need it, when you don't, how to start
If your SaaS touches any health information — wearables, mental-health apps, telehealth — you may be subject to HIPAA. Here is how to tell if you are in scope, what it takes to comply, and when to just say no.