Imed Bounab

Your application is vulnerable, and you don't even realize it. Hackers have special vision. They don't see websites the way others do. If you don't understand that, your defenses are useless. Let me show you 👇🧵

@JerDykNotion Finish the whole chain before calling it quits (do the marketing, do the copywriting, do the CRO, do the sales calls...). I wouldn't care if it was successful or not. I would care more about learning the skills I mentioned above.

@imaibou What would you have done different?

If you’re a builder under 30, hear me out. I’m 38. I started building two years ago. If I’d started at 16? Different game. Here’s what I'd do: - find a topic of interest - just start creating - make sure you are visible - use the feedback - iterate in public How early did you start building?

To be honest, I tried codex for a little bit, and I was surprized by how little vulnerabilities it produced. The main issue with AI code is that it doesn't get context. Especially if you five it an existing project and then tell it to add features. If you don't tell it who should be able to do what, it introduces logical vulnerabilities. Didn't get around to test other AI solutions though. I'm curious to hear your experience.

Prove me wrong: Vibe coding = security risks

@Aayush13138763 I believe that having these auxilier skills to coding is what will make you irreplaceable by AI

We don't hire "performance specialists" to avoid infinite loops. Security is the same. It's not a job title. It's a baseline skill every developer should own.

"We'll do a security audit before launch". No, you won't. You'll launch. Get busy. Delay the audit. Ship the next feature. Security is not a pre-launch checklist. It's a habit.

There's probably a hardcoded secret in your codebase right now. grep for 'password', 'secret', 'api_key', 'token'. Do it right now. I'll wait.

Junior devs don't make security mistakes. Untrained devs do. The junior dev who pushed AWS credentials to a public repo wasn't careless. Nobody showed him why it mattered. No .gitignore. No pre-commit hook. No onboarding. Blame the system, not the person.

One XSS vulnerability. Every user session gone. localStorage is convenient for JWTs. It's also readable by any JavaScript on your page. If an attacker can inject JS code, he'll be able to steal all the users' sessions. httpOnly cookies can't be touched by JS. Use them instead.

@JerDykNotion How did you do that concretely? Was it text to speech from your keyboard to a note application?

This week I dumped raw ideas from my iPhone straight into my capture system with voice to text. From a messy thought to a usable idea in 4 seconds. That tiny workflow change might be one of my best this month.

The one-liner that turns your login form into real auth. If a user can attempt your login form 10 000 times without hitting a wall, you don't have auth. You have a suggestion. Rate limiting. Add it.

Your framework is not your security team. React escapes your output. Laravel sanitizes your queries. That's it. Broken access control, business logic flaws, insecure APIs. Your framework has no idea those exist. Thinking you're covered is worse than knowing you're not.

How hackers usually steal passwords

Your logs are trying to tell you something. Most breaches show up in the error logs before anyone notices. Failed logins at 3am. Unexpected 500s on the payment endpoint. The same IP hitting every admin route. The devs who read logs catch it first. Are you one of them?

Learning web security ruins you. In a good way. Me before learning web security: "nobody's targeting my app" Me after: rate limiting on the contact form

"We have SSL so we're safe." No, you're not. HTTPS means the envelope is sealed. Not that what's inside is safe. SQL injection, XSS, broken auth... None of it cares about your SSL cert.

@antoinegst_ Seems like we have to use our own brains again 😭

Claude not again please… 😔

@did0f Isn't everyone proud of what they build? Making something out of nothing gives you a sense of pride in itself

Makers, two questions: 1⃣ what are you building? 2⃣ are you proud of it?

@vineerpasam When you want to take a screenshot of a conversation, but you need to delete an embarrassing text first

Give me one situation where “Delete for me” makes sense

Your login page is being scanned right now. "My site is too small to be hacked." Bots don't care about your size. They scan millions of URLs looking for unprotected login pages. Yours included. No rate limiting? You're already being probed.