𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

Machine-translated. Read the original.

📅4 hours ago⏱2 min read

𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

I recently audited all my side projects. I checked my FastAPI backends, Telegram bots, and web apps. I thought I was careful.

I was wrong.

I found real bugs that I actually shipped to production. These are not theoretical problems. They are mistakes I made while trying to move fast.

Here are the main issues I found and how to fix them:

Conditional Authentication I wrote code that only checked API keys if a secret existed. If I forgot to set the secret in my environment, the check skipped entirely. This left my API open to everyone.

Fix: Never make authentication conditional. If the secret is missing, the app should throw an error and stop.

Leaking Keys in Git History I found old API keys in my Git history. I had moved them to .env files later, but Git keeps every old version of your code forever.

Fix: Treat any key ever committed to Git as compromised. Revoke it immediately. Use tools like git-filter-repo to clean your history.

Leftover Debug Endpoints I left endpoints in production that showed my database configuration and system settings. These are helpful during development but dangerous in the wild.

Fix: Add debug endpoint removal to your deployment checklist.

Verbose Error Messages I was returning raw system errors to the user. These errors reveal your file paths, database types, and library versions. An attacker can use this data to target your system.

Fix: Log the full error internally for yourself. Return a generic "Internal Server Error" message to the client.

XSS via innerHTML I used innerHTML to render user data in my frontend. This allows attackers to inject scripts into your site.

Fix: Always sanitize data or use textContent instead of innerHTML.

Lack of Rate Limiting I had endpoints that called expensive AI models without limits. One user could run up a massive bill in minutes.

Fix: Authentication stops unauthorized users. Rate limiting stops authorized users from abusing your system. You need both.

Permissive CORS Settings I used allow_origins=["*"] in my middleware. This allows any website to make requests to your API.

Fix: Only allow your specific domains in production.

File Leakage Ho scritto del codice che creava file temporanei ma non riusciva a eliminarli in caso di crash del processo. Questi file rimangono sul server per sempre.

Soluzione: Usa un blocco try-finally per garantire che i file vengano eliminati anche in caso di errore.

I problemi di sicurezza sono raramente intenzionali. Sono il risultato del dire "Lo sistemerò più tardi". Il "più tardi" non arriva mai.

Integra la sicurezza nel tuo flusso di lavoro fin dal primo giorno. Controlla il tuo codice prima di fare il commit e prima del deploy.

Fonte: https://dev.to/justjinoit/i-audited-my-own-side-projects-for-security-issues-heres-what-i-found-1ahb