𝗜 𝗔𝘂𝗱𝗶𝘁𝗲𝗱 𝗠𝘆 𝗦𝗶𝗱𝗲 𝗣𝗿𝗼𝗷𝗲𝗰𝘁𝘀 𝗳𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗛𝗲𝗿𝗲 𝗜𝘀 𝗪𝗵𝗮𝘁 𝗜 𝗙𝗼𝘂𝗻𝗱
I recently audited all my side projects. I checked my FastAPI backends, Telegram bots, and web apps. I thought I was careful.
I was wrong.
I found real bugs that I actually shipped to production. These are not theoretical problems. They are mistakes I made while trying to move fast.
Here are the main issues I found and how to fix them:
- Conditional Authentication I wrote code that only checked API keys if a secret existed. If I forgot to set the secret in my environment, the check skipped entirely. This left my API open to everyone.
- Fix: Never make authentication conditional. If the secret is missing, the app should throw an error and stop.
- Leaking Keys in Git History I found old API keys in my Git history. I had moved them to .env files later, but Git keeps every old version of your code forever.
- Fix: Treat any key ever committed to Git as compromised. Revoke it immediately. Use tools like git-filter-repo to clean your history.
- Leftover Debug Endpoints I left endpoints in production that showed my database configuration and system settings. These are helpful during development but dangerous in the wild.
- Fix: Add debug endpoint removal to your deployment checklist.
- Verbose Error Messages I was returning raw system errors to the user. These errors reveal your file paths, database types, and library versions. An attacker can use this data to target your system.
- Fix: Log the full error internally for yourself. Return a generic "Internal Server Error" message to the client.
- XSS via innerHTML I used innerHTML to render user data in my frontend. This allows attackers to inject scripts into your site.
- Fix: Always sanitize data or use textContent instead of innerHTML.
- Lack of Rate Limiting I had endpoints that called expensive AI models without limits. One user could run up a massive bill in minutes.
- Fix: Authentication stops unauthorized users. Rate limiting stops authorized users from abusing your system. You need both.
- Permissive CORS Settings I used allow_origins=["*"] in my middleware. This allows any website to make requests to your API.
- Fix: Only allow your specific domains in production.
- Dosya Sızıntısı Geçici dosyalar oluşturan ancak işlem çöktüğünde bunları silmeyi başaramayan bir kod yazdım. Bu dosyalar sunucunuzda sonsuza dek kalır.
- Çözüm: Bir hata oluşsa bile dosyaların silinmesini sağlamak için bir try-finally bloğu kullanın.
Güvenlik sorunları nadiren kasıtlıdır. Bunlar, "Bunu sonra düzeltirim" demenin bir sonucudur. O "sonra" asla gelmez.
İlk günden itibaren güvenliği iş akışınıza dahil edin. Kodunuzu commit etmeden ve deploy etmeden önce kontrol edin.
Kaynak: https://dev.to/justjinoit/i-audited-my-own-side-projects-for-security-issues-heres-what-i-found-1ahb