𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

I recently audited all my side projects. I checked my FastAPI backends, Telegram bots, and web apps. I thought I was careful.

I was wrong.

I found real bugs that I actually shipped to production. These are not theoretical problems. They are mistakes I made while trying to move fast.

Here are the main issues I found and how to fix them:

1. Conditional Authentication I wrote code that only checked API keys if a secret existed. If I forgot to set the secret in my environment, the check skipped entirely. This left my API open to everyone.

• Fix: Never make authentication conditional. If the secret is missing, the app should throw an error and stop.

2. Leaking Keys in Git History I found old API keys in my Git history. I had moved them to .env files later, but Git keeps every old version of your code forever.

• Fix: Treat any key ever committed to Git as compromised. Revoke it immediately. Use tools like git-filter-repo to clean your history.

3. Leftover Debug Endpoints I left endpoints in production that showed my database configuration and system settings. These are helpful during development but dangerous in the wild.

• Fix: Add debug endpoint removal to your deployment checklist.

4. Verbose Error Messages I was returning raw system errors to the user. These errors reveal your file paths, database types, and library versions. An attacker can use this data to target your system.

• Fix: Log the full error internally for yourself. Return a generic "Internal Server Error" message to the client.

5. XSS via innerHTML I used innerHTML to render user data in my frontend. This allows attackers to inject scripts into your site.

• Fix: Always sanitize data or use textContent instead of innerHTML.

6. Lack of Rate Limiting I had endpoints that called expensive AI models without limits. One user could run up a massive bill in minutes.

• Fix: Authentication stops unauthorized users. Rate limiting stops authorized users from abusing your system. You need both.

7. Permissive CORS Settings I used allow_origins=["*"] in my middleware. This allows any website to make requests to your API.

• Fix: Only allow your specific domains in production.

۸. نشت فایل من کدی نوشتم که فایل‌های موقتی ایجاد می‌کرد، اما اگر فرآیند کرش می‌کرد، در حذف آن‌ها شکست می‌خورد. این فایل‌ها برای همیشه روی سرور شما باقی می‌مانند.

• راه حل: از یک بلوک try-finally استفاده کنید تا مطمئن شوید حتی در صورت بروز خطا، فایل‌ها حذف می‌شوند.

مسائل امنیتی به‌ندرت عمدی هستند. آن‌ها نتیجه‌ی گفتنِ «بعداً این را درست می‌کنم» هستند. اما آن «بعداً» هیچ‌وقت نمی‌رسد.

امنیت را از روز اول در گردش کار خود نهادینه کنید. کد خود را قبل از commit و قبل از deploy بررسی کنید.

منبع: https://dev.to/justjinoit/i-audited-my-own-side-projects-for-security-issues-heres-what-i-found-1ahb