𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱

I recently audited all my side projects. I checked my FastAPI backends, Telegram bots, and web apps. I thought I was careful.

I was wrong.

I found real bugs that I actually shipped to production. These are not theoretical problems. They are mistakes I made while trying to move fast.

Here are the main issues I found and how to fix them:

1. Conditional Authentication I wrote code that only checked API keys if a secret existed. If I forgot to set the secret in my environment, the check skipped entirely. This left my API open to everyone.

• Fix: Never make authentication conditional. If the secret is missing, the app should throw an error and stop.

2. Leaking Keys in Git History I found old API keys in my Git history. I had moved them to .env files later, but Git keeps every old version of your code forever.

• Fix: Treat any key ever committed to Git as compromised. Revoke it immediately. Use tools like git-filter-repo to clean your history.

3. Leftover Debug Endpoints I left endpoints in production that showed my database configuration and system settings. These are helpful during development but dangerous in the wild.

• Fix: Add debug endpoint removal to your deployment checklist.

4. Verbose Error Messages I was returning raw system errors to the user. These errors reveal your file paths, database types, and library versions. An attacker can use this data to target your system.

• Fix: Log the full error internally for yourself. Return a generic "Internal Server Error" message to the client.

5. XSS via innerHTML I used innerHTML to render user data in my frontend. This allows attackers to inject scripts into your site.

• Fix: Always sanitize data or use textContent instead of innerHTML.

6. Lack of Rate Limiting I had endpoints that called expensive AI models without limits. One user could run up a massive bill in minutes.

• Fix: Authentication stops unauthorized users. Rate limiting stops authorized users from abusing your system. You need both.

7. Permissive CORS Settings I used allow_origins=["*"] in my middleware. This allows any website to make requests to your API.

• Fix: Only allow your specific domains in production.

8. ఫైల్ లీకేజీ నేను తాత్కాలిక ఫైళ్లను సృష్టించే కోడ్‌ను రాశాను, కానీ ప్రాసెస్ క్రాష్ అయితే వాటిని తొలగించడంలో విఫలమయ్యాను. ఈ ఫైళ్లు మీ సర్వర్‌లో శాశ్వతంగా ఉండిపోతాయి.

• పరిష్కారం: ఏదైనా ఎర్రర్ వచ్చినప్పటికీ ఫైళ్లు తొలగించబడేలా చూడటానికి try-finally బ్లాక్‌ను ఉపయోగించండి.

భద్రతా సమస్యలు చాలా అరుదుగా ఉద్దేశపూర్వకంగా జరుగుతాయి. "దీనిని తర్వాత సరిచేస్తాను" అని వాయిదా వేయడం వల్ల ఇవి ఏర్పడతాయి. కానీ ఆ 'తర్వాత' అనేది ఎప్పటికీ రాదు.

మొదటి రోజు నుండే మీ వర్క్‌ఫ్లోలో భద్రతను చేర్చుకోండి. మీరు కోడ్‌ను కమిట్ చేసే ముందు మరియు డిప్లాయ్ చేసే ముందు తనిఖీ చేయండి.

మూలం: https://dev.to/justjinoit/i-audited-my-own-side-projects-for-security-issues-heres-what-i-found-1ahb