𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

I recently audited all my side projects. I checked my FastAPI backends, Telegram bots, and web apps. I thought I was careful.

I was wrong.

I found real bugs that I actually shipped to production. These are not theoretical problems. They are mistakes I made while trying to move fast.

Here are the main issues I found and how to fix them:

1. Conditional Authentication I wrote code that only checked API keys if a secret existed. If I forgot to set the secret in my environment, the check skipped entirely. This left my API open to everyone.

• Fix: Never make authentication conditional. If the secret is missing, the app should throw an error and stop.

2. Leaking Keys in Git History I found old API keys in my Git history. I had moved them to .env files later, but Git keeps every old version of your code forever.

• Fix: Treat any key ever committed to Git as compromised. Revoke it immediately. Use tools like git-filter-repo to clean your history.

3. Leftover Debug Endpoints I left endpoints in production that showed my database configuration and system settings. These are helpful during development but dangerous in the wild.

• Fix: Add debug endpoint removal to your deployment checklist.

4. Verbose Error Messages I was returning raw system errors to the user. These errors reveal your file paths, database types, and library versions. An attacker can use this data to target your system.

• Fix: Log the full error internally for yourself. Return a generic "Internal Server Error" message to the client.

5. XSS via innerHTML I used innerHTML to render user data in my frontend. This allows attackers to inject scripts into your site.

• Fix: Always sanitize data or use textContent instead of innerHTML.

6. Lack of Rate Limiting I had endpoints that called expensive AI models without limits. One user could run up a massive bill in minutes.

• Fix: Authentication stops unauthorized users. Rate limiting stops authorized users from abusing your system. You need both.

7. Permissive CORS Settings I used allow_origins=["*"] in my middleware. This allows any website to make requests to your API.

• Fix: Only allow your specific domains in production.

8. ಫೈಲ್ ಸೋರಿಕೆ ನಾನು ತಾತ್ಕಾಲಿಕ ಫೈಲ್‌ಗಳನ್ನು ರಚಿಸುವ ಕೋಡ್ ಬರೆದಿದ್ದೆ, ಆದರೆ ಪ್ರಕ್ರಿಯೆಯು (process) ಕ್ರ್ಯಾಶ್ ಆದಾಗ ಅವುಗಳನ್ನು ಅಳಿಸಲು ವಿಫಲವಾದೆ. ಈ ಫೈಲ್‌ಗಳು ನಿಮ್ಮ ಸರ್ವರ್‌ನಲ್ಲಿ ಶಾಶ್ವತವಾಗಿ ಉಳಿಯುತ್ತವೆ.

• ಪರಿಹಾರ: ದೋಷವು ಸಂಭವಿಸಿದರೂ ಸಹ ಫೈಲ್‌ಗಳು ಅಳಿಸಲ್ಪಡುವಂತೆ ಖಚಿತಪಡಿಸಿಕೊಳ್ಳಲು try-finally ಬ್ಲಾಕ್ ಬಳಸಿ.

ಭದ್ರತಾ ಸಮಸ್ಯೆಗಳು ಅಪರೂಪಕ್ಕೆ ಮಾತ್ರ ಉದ್ದೇಶಪೂರ್ವಕವಾಗಿರುತ್ತವೆ. ಅವು "ನಾನು ಇದನ್ನು ನಂತರ ಸರಿಪಡಿಸುತ್ತೇನೆ" ಎಂದು ಹೇಳುವುದರ ಪರಿಣಾಮವಾಗಿರುತ್ತವೆ. ಆ "ನಂತರ" ಎಂಬುದು ಎಂದಿಗೂ ಬರುವುದಿಲ್ಲ.

ಮೊದಲ ದಿನದಿಂದಲೇ ನಿಮ್ಮ ಕೆಲಸದ ಹರಿವಿನಲ್ಲಿ (workflow) ಭದ್ರತೆಯನ್ನು ಅಳವಡಿಸಿಕೊಳ್ಳಿ. ಕೋಡ್ ಅನ್ನು commit ಮಾಡುವ ಮೊದಲು ಮತ್ತು deploy ಮಾಡುವ ಮೊದಲು ಅದನ್ನು ಪರಿಶೀಲಿಸಿ.

ಮೂಲ: https://dev.to/justjinoit/i-audited-my-own-side-projects-for-security-issues-heres-what-i-found-1ahb