Guides
Practical walk-throughs for the vulnerabilities we catch most often in modern production apps, especially AI-assisted Next.js + Supabase codebases. Each guide covers what the bug is, a working exploit, the fix, and how Securie catches it automatically.
Supabase RLS misconfiguration — detect, exploit, and fix
Row-Level-Security bypass is the most common data leak in vibe-coded apps. Here is exactly how it happens, how attackers find it, and how to fix it in Next.js + Supabase with one policy update.
Broken Object-Level Authorization (BOLA) in Next.js apps
BOLA is the top item on the OWASP API Security Top 10 for a reason — every AI coding assistant introduces it by default. Learn what it looks like in Next.js, how to exploit it, and how to fix it.
Insecure Direct Object Reference (IDOR) — what it is and how to prevent it
IDOR is the classic name for an authorization bug where a user can change an ID in a URL and access data they should not see. It is BOLA's older cousin and still ships in half of all new apps.
Leaked API keys in Next.js — the most common vibe-coded mistake
Every week founders tweet about their OpenAI bill going from $10 to $10,000 overnight. Usually the cause is an API key committed to a public repo. Here is why it happens in Next.js specifically and how to stop it in five minutes.
Prompt injection in AI apps — how attackers hijack your agents
Your AI chatbot or tool-using agent can be tricked into leaking data, calling the wrong tools, or taking destructive actions — often through a single crafted email or document. Here is how prompt injection works and how to defend.
Vibe coding security risks — the 2026 field guide
Vibe coding (AI-generated apps shipped with minimal human review) has a security problem. Here is a grounded look at what actually breaks, with dated public incidents, and the controls that work.
Rate limiting in Next.js — the correct way in 2026
Unlimited API endpoints are how $150K OpenAI bills happen. Here is how to add proper rate limiting to a Next.js app using Vercel Edge Middleware, Upstash, or your existing Redis.
Webhook signature verification — Stripe, GitHub, Clerk, everyone
If your webhook endpoint skips signature verification, an attacker can trigger any downstream action you code — refunds, subscription changes, user upgrades. Here is how to verify signatures correctly for the five most common webhook providers.
CORS misconfiguration — how `Access-Control-Allow-Origin: *` breaks your app
CORS is one of the most misunderstood security headers. Here is exactly when `*` is safe, when it is catastrophic, and how to configure CORS correctly for a Next.js + Supabase stack.
Secure cookies in Next.js — HttpOnly, Secure, SameSite explained
Misconfigured cookies are how session tokens leak. Here is exactly which flags to set for session, CSRF, and preference cookies in a Next.js app.
Secure file uploads in Next.js — content type, size, storage, serving
File uploads are the most commonly mis-handled feature in AI-built apps. Here is the five-step pattern for uploading user files safely.
SSRF prevention in Node.js — validate the resolved IP, not the URL string
SSRF (Server-Side Request Forgery) is how attackers reach your cloud metadata service and internal APIs through your public endpoints. Here is the correct defense.
SQL injection prevention in Node.js — parametrize everything
SQL injection is a solved problem — and AI coding assistants keep re-introducing it. Here are the exact patterns to watch for in Prisma, Supabase, Drizzle, and raw pg.
CSRF protection in Next.js — when you need it, when you don't
Next.js App Router apps often skip CSRF protection because they think SameSite cookies are enough. They are not always enough. Here is the specific rule.
XSS in React — dangerouslySetInnerHTML and the specific bugs we see
React escapes interpolations by default, which eliminates 95% of XSS. The remaining 5% kills apps. Here are the exact patterns that slip through.
JWT verification — the five ways apps get it wrong
JWTs are only as secure as your verification. Missing issuer check, missing expiration check, `alg: 'none'`, and algorithm confusion all still ship in AI-generated code.
Secrets management — where to actually store your API keys
Not in .env files. Not in localStorage. Here is the 2026 guide to storing and accessing secrets in a small-team Node.js / Python app.
Security headers for Next.js — CSP, HSTS, and the full list
A complete reference for the security headers your Next.js app should ship with. Configured via next.config.mjs in minutes.
OAuth + OIDC security — the PKCE and state checks you cannot skip
Most OAuth bugs come from skipping PKCE, ignoring state, or accepting tokens issued for a different client. Here is the correct implementation in a Next.js + NextAuth app.
Password hashing — Argon2id is the answer, here is how
If you still store passwords, you must hash them with a memory-hard function. Here is how to configure Argon2id correctly in a Node.js or Python backend.
API key rotation — how to rotate without downtime
Rotating an API key without taking your app down requires a specific dual-read single-write sequence. Here is the exact pattern.
Session security — revocation, idle timeout, rotation
A logged-in user is a trust decision you made at login. Sessions need explicit policies for idle timeout, absolute timeout, revocation, and rotation.
CCPA / CPRA for SaaS — what you actually have to do
California's privacy law applies to any SaaS that has a paying Californian customer. Here's the minimum viable compliance checklist, written for founders who've never done it before.
Next.js Server Actions security — the bugs everyone ships and the fixes
Server Actions are Next.js's RPC mechanism — async functions marked "use server" that run on the server but are called from client components. The convenience hides the risk: every Server Action is an unauthenticated public API endpoint by default. Here is the vulnerable pattern, the fix, and the audit checklist.
The Supabase service-role key — when to use it, when not to, and how it leaks
The service-role key bypasses every RLS policy you wrote. It exists for a reason; it leaks for many reasons. Here is the rule for when to use it, the patterns that leak it, and the recovery playbook when it does.
Vercel environment variables security — the rules and the leaks
Vercel environment variables have three flavors (development, preview, production) and two scopes (server-only and NEXT_PUBLIC_). Mixing them up leaks production secrets. Here is the rule and the canonical bugs.
MCP server security — scope, tool surface, and the prompt-injection routing problem
Model Context Protocol (MCP) servers expose tools to LLM agents — file reads, git commands, HTTP fetches, database queries. The risk surface is the tool catalogue: an LLM agent that can call dangerous tools at the prompt-injection-attacker's instruction is the canonical MCP failure. Here are the patterns that work and the ones that don't.
How to security-review AI-generated code (the 5 patterns to look for)
Cursor / Lovable / Bolt / Copilot wrote your code. It compiles, it works, you shipped it. Before you do the same thing tomorrow, here are the 5 security patterns AI-generated code gets wrong, with the visual signature for each so you can spot them in code review.
How to secure your MCP server — fingerprint pinning, scope locks, rug-pull defense
Model Context Protocol went 0 → 200,000+ servers in 9 months. The April 2026 Anthropic RCE flaw + the Invariant Labs tool-poisoning class disclosures forced every MCP-using team to harden their server hygiene. This guide walks the four attack classes (unknown-server smuggle, fingerprint drift, tool smuggle, scope escalation) and the operator-authored TOML catalog that closes them.
Defending MCP agents from indirect prompt injection (2026 playbook)
Indirect prompt injection — adversarial instructions embedded in data the agent reads — is the single most common attack class against MCP-using agents. Microsoft's Apr 2026 advisory + Unit42's MCP attack-vector taxonomy converged on the same defense: pre-prompt-output sanitization + scope-bounded egress + Llama Guard 4 classification. This guide ships the layered defense.
Detecting MCP server rug-pulls — when the tool catalog mutates after install
The rug-pull pattern: an MCP server ships a safe v1 catalog at install time, then mutates to a v2 catalog (with attacker-controlled tools) once it's running in your trust boundary. Invariant Labs disclosed this class in 2025; the Apr 2026 Anthropic RCE incident exploited a related design flaw. This guide ships the fingerprint-pinning + signature-verification defense.
How Securie validates every MCP tool dispatch
Securie enforces operator-authored MCP catalogs at agent runtime. Three layers — a signed trusted-server catalog, a manifest validator, and a per-dispatch scope check — close the four attack classes (unknown-server smuggle, fingerprint drift, tool smuggle, scope escalation) before any MCP tool runs. This guide walks the architecture and the trust model.
Leaked API keys in Next.js — NEXT_PUBLIC_ prefix + client-bundle audit
NEXT_PUBLIC_-prefixed env vars ship in the client bundle. Server secrets accidentally prefixed = bundled credentials shipped to every visitor. Here's the detection + fix.
Security headers in Next.js — HSTS, CSP, frame-ancestors, complete config
Vercel doesn't set security headers by default. HSTS, CSP, X-Frame-Options, Permissions-Policy all need explicit config. Here's the canonical next.config.mjs.
CSRF protection on Next.js Server Actions
Server Actions accept cross-origin POSTs by default. Add origin check or token validation.
Server Action auth guard — every Server Action needs session check
Server Actions execute server-side but default to no auth. Add session-required guard at the top of every protected action.
Environment variable hygiene — Vercel / Netlify / Fly / Railway
Per-platform env-var setup with NEXT_PUBLIC_ guidance, secret manager recommendations, rotation cadence.
Supabase Storage bucket RLS — buckets need policies too
Storage buckets default-allow read in tutorials. Add RLS policies + signed URLs for downloads.
Preventing runaway OpenAI / Anthropic bills — spend caps + rate limits + monitoring
Documented Claude Opus victim case ran 4.5 days at $50K. Spend caps + rate limits + monitoring are existential.
Rate-limiting paid-API routes — Upstash, Cloudflare, edge-native
Every route calling OpenAI / Stripe / Anthropic / paid vendor needs per-IP + per-user rate limits. Edge-native is best for vibe-coded apps.
Securing Stripe webhooks — signature verification + idempotency
Stripe webhook handlers must verify the signature before processing. Without verification, attackers spoof events. Plus: idempotency for retry-safety.
JWT verification with explicit algorithm pin — defense against alg-confusion
Verify JWTs with explicit algorithm + issuer + audience. Default verify functions accept multiple algorithms = alg-confusion attack surface.
Using Supabase anon key safely — RLS-protected access only
anon key is public BY DESIGN — without RLS it's a skeleton key. Lovable Apr 2026 BOLA showed 10.3% of apps got this wrong.
Preventing prompt injection in LLM features — Llama Guard 4 + sanitization
User input + LLM = prompt injection surface. Defense: pre-sanitize user input + Llama Guard 4 classify outputs + scope-bound egress.
Hallucinated package names in AI-generated code — detect, prevent, and recover
AI coding assistants invent plausible-sounding package names that don't exist — and attackers pre-register those hallucinated names on npm and PyPI with malware. This guide shows the attack, the verification workflow, and the production controls that defend against it.
The lethal trifecta for AI agents — why three capabilities together turn agents into weapons
Simon Willison's framing (June 2025): an AI agent becomes weaponizable when it has private data + untrusted content + external communication, all at once. Any two are usually safe; all three is the catastrophic combination. Here's how to spot the trifecta in your stack and break the chain.
OWASP LLM Top 10 — the 10 most critical risks for LLM-powered applications (2025)
OWASP's LLM Top 10 is the canonical taxonomy for AI-feature security. Different from the regular OWASP Top 10, it covers the bug classes that only exist when you ship LLMs in production — prompt injection, insecure output handling, training-data poisoning, model DoS, supply-chain risks, and more. Here's each category with a real-world example and the Securie specialist that catches it.
AI red teaming for production agents — continuous CI gate + quarterly manual engagement
Adversarial testing for LLMs and agents in production. Two layers: continuous automated red-team in CI (catches regressions on every release) + quarterly manual engagement (finds novel classes). This guide shows the harness, the corpus, and the threshold gates.
Dependency scanning for AI-built apps — what to scan, what to block, what to ignore
Vibe-coded apps inherit thousands of transitive dependencies and the AI assistant invents fresh ones every prompt. This guide walks through the dependency-scanning stack for an AI-built app: what to run, what to block in CI, and how to handle slopsquatting + typosquatting + dependency confusion.