What happens if…

Plain-English walk-throughs of the security moments every indie founder faces. No jargon. Just what actually happens and what to do about it.

My API key leaked on GitHub — what do I do?

Your OpenAI, Stripe, or Supabase key is on GitHub. You just realized. Here's exactly what to do in the next ten minutes — and what the attacker is already doing.

My Supabase database might be public — how do I check?

You built your app with Lovable / Bolt / Cursor and now you're worried your Supabase tables are open to the world. Here's how to check it yourself today — and how to get an automated plain-English Securie review.

Someone tweeted that my app is leaking data — what do I do?

A random security researcher just tweeted that your app has a vulnerability. Your DMs are blowing up. Here's the 60-minute response playbook.

My app just hit Hacker News / Product Hunt — am I about to get breached?

Your app just went viral. Thousands of strangers are testing it right now. Some of them are attackers. Here's what to do in the first 24 hours.

My OpenAI bill hit $12,000 overnight — how?

You woke up to a shockingly large OpenAI bill. Here's how it happened, how to reverse it if possible, and how to make sure it never happens again.

I don't know if my app is safe — where do I start?

You built an app. You don't know if it's secure. You don't know what 'secure' even means. Here's the 20-minute assessment.

All my code was written by AI — how do I trust it?

Your entire codebase came from Lovable / Bolt / Cursor / v0 / Claude. You didn't read most of it. Is that safe? What do you do?

My AI agent just deleted my production database — what do I do?

Replit Agent / Cursor agent / Cline / Claude Code in autonomous mode just ran a destructive query against production. Here's the 30-minute restore plan + the structural fix so it never happens again.

My Lovable app might be exposing customer data — how do I check?

10.3% of Lovable apps had this exposure for 48 days in April 2026. Here's how to check yours today + the structural Supabase RLS fix.

My Cursor / Claude Code leaked my Anthropic key — what now?

Per Lakera April 2026: 33 of 428 npm packages with `.claude/settings.local.json` had live credentials. Bitwarden CLI hijack actively hunted these paths. Here's the 10-minute remediation.

I'm launching on Show HN tomorrow — am I going to get attacked?

Yes. Front-page slot lasts 4 hours. Bots find your bugs in 6 minutes. Here's the launch-readiness checklist + the post-launch monitoring you need.

My Stripe test key is in production — payments are failing for real customers

Real customers can't pay because your live deploy uses sk_test_. Here's the 5-minute fix + the env-var hygiene that prevents recurrence.

My Vercel account just got hijacked — what do I do?

April 2026 Vercel × Context.ai breach showed how OAuth-app overreach becomes account compromise. Here's the response playbook.

I installed a malicious MCP server — is my agent compromised?

April 2026 Anthropic MCP RCE affected 200,000+ servers. Tool poisoning + rug-pulls are routine. Here's how to detect + remove a compromised MCP server.