Shipping Secure AI-Built Apps
The security an AI coding tool skips, and the checklist that catches it before launch.
Six chapters on securing apps built with AI coding tools: why they ship insecure, the five holes they reliably leave (data access, secrets, authorization, exposed surface), and the pre-launch checklist that catches them. Each chapter pairs a plain-language explanation with optional dive-deepers into the code.
Written for builders shipping apps generated with tools like Cursor, Lovable, v0, or Claude Code, including founders who aren't security specialists. The framing is practical: what to check, what 'done' means, and when to bring in help. Test only apps you own or are authorised to test.
Chapters
- Chapter 01 · 9 min
Why AI-built apps ship insecure
“A contractor who builds exactly what you describe, fast, and never mentions the building code, because you didn't ask.”
Read → - Chapter 02 · 11 min
Row-Level Security: the hole under every table
“A filing cabinet in a public lobby with a 'staff only' sign, and no lock.”
Read → - Chapter 03 · 10 min
Secrets and API keys
“Taping your house key to the front door because you were in a hurry.”
Read → - Chapter 04 · 11 min
Authentication and authorization
“Checking that someone has a ticket, but never checking it's a ticket for this seat.”
Read → - Chapter 05 · 10 min
Exposed endpoints, APIs, and webhooks
“Renovating the storefront but leaving the old back door unlocked, and off the floor plan.”
Read → - Chapter 06 · 11 min
Hardening before launch
“The pre-flight checklist exists because memory fails and the cost of forgetting is the whole plane.”
Read →