Jimmy Ships

✨ Here's my first GPT-3 app: it generates new startup ideas and you can get early access here: forms.gle/UBvUKY91QKRgZW…

Indie hackers and vibe coders, I’m going to give you a quick rundown on security so you don’t get screwed… But first, what makes me qualified to do this? I’ve held high level engineering roles throughout my career where I’ve been responsible for websites + systems with >1 million user accounts, and everything that goes into that. 1) Use rate limiting, but not just at a cloud level. I’ve seen @jackfriks and a few others struggle with bot attacks. Get a basic @Cloudflare installation up and running, it’s free. If you’re on @vercel, they have a tool natively built in for that vercel.com/guides/add-rat…. This helps prevent things like spammy account sign ups. But, go one step deeper - integrate rate limits in your code. Use session based rate limiting where sensitive actions within your codebase are limited to say 5 attempts every 10 minutes by tracking these attempts in a session. 2) Similar to solving the above problem, use captcha on sensitive areas - such as account creation and sign in. This provides a more reliable way of verifying that the request happening is from an actual human. 3) There’s a million ways of storing data, but regardless of what you’re doing, make sure anything sensitive is encrypted. Things like passwords should be one-way encrypted, meaning even you as the database owner cannot see it. Other things that are less sensitive but still important (e.g. someone's physical address) can still be encrypted at rest, with the option for you to decrypt to reveal that data in a frontend. 4) Never reveal your env variables, store them securely, never commit them to version control, and definitely never share them on X. If for whatever reason you manage to reveal them, immediately revoke every single one of them and start again. Imagine a world where someone has your Stripe keys - they can not only steal your customer data, they could programmatically refund everyone. 5) Don’t install random dependencies and other code packages. Anything dodgy will potentially not only have free reign over your entire codebase, but also your local machine (computer). If you’re using @github, install Dependabot :) 6) 2FA absolutely everything, preferably with app-based 2FA (not SMS). Your domain registrar, hosting login, payment providers, social accounts, the absolute lot. 7) Wanna stop someone from being able to access certain features or content? Don’t just prevent that from happening on the frontend, prevent it in your backend code too. Frontend only blocks are so easy to bypass. 8) Sanitize all user input, trust nothing. SQL injection is kinda a thing of the past, but it’s still possible in today's world and these kinds of attacks give people access to all of your data, including the ability to delete it. I could go on forever, but I think this is enough for now. Any questions? LMK below... 👇

ok someone is attacking now my database @supabase with 1,000 new signups per 5 minutes bro can you please NOT do that ♥️ thanks! if anyone from supabase can help mitigate, i’m working on now also to stop their requests

Indie hackers and vibe coders, I’m going to give you a quick rundown on security so you don’t get screwed… But first, what makes me qualified to do this? I’ve held high level engineering roles throughout my career where I’ve been responsible for websites + systems with >1 million user accounts, and everything that goes into that. 1) Use rate limiting, but not just at a cloud level. I’ve seen @jackfriks and a few others struggle with bot attacks. Get a basic @Cloudflare installation up and running, it’s free. If you’re on @vercel, they have a tool natively built in for that vercel.com/guides/add-rat…. This helps prevent things like spammy account sign ups. But, go one step deeper - integrate rate limits in your code. Use session based rate limiting where sensitive actions within your codebase are limited to say 5 attempts every 10 minutes by tracking these attempts in a session. 2) Similar to solving the above problem, use captcha on sensitive areas - such as account creation and sign in. This provides a more reliable way of verifying that the request happening is from an actual human. 3) There’s a million ways of storing data, but regardless of what you’re doing, make sure anything sensitive is encrypted. Things like passwords should be one-way encrypted, meaning even you as the database owner cannot see it. Other things that are less sensitive but still important (e.g. someone's physical address) can still be encrypted at rest, with the option for you to decrypt to reveal that data in a frontend. 4) Never reveal your env variables, store them securely, never commit them to version control, and definitely never share them on X. If for whatever reason you manage to reveal them, immediately revoke every single one of them and start again. Imagine a world where someone has your Stripe keys - they can not only steal your customer data, they could programmatically refund everyone. 5) Don’t install random dependencies and other code packages. Anything dodgy will potentially not only have free reign over your entire codebase, but also your local machine (computer). If you’re using @github, install Dependabot :) 6) 2FA absolutely everything, preferably with app-based 2FA (not SMS). Your domain registrar, hosting login, payment providers, social accounts, the absolute lot. 7) Wanna stop someone from being able to access certain features or content? Don’t just prevent that from happening on the frontend, prevent it in your backend code too. Frontend only blocks are so easy to bypass. 8) Sanitize all user input, trust nothing. SQL injection is kinda a thing of the past, but it’s still possible in today's world and these kinds of attacks give people access to all of your data, including the ability to delete it. I could go on forever, but I think this is enough for now. Any questions? LMK below... 👇

Indie hackers and vibe coders, I’m going to give you a quick rundown on security so you don’t get screwed… But first, what makes me qualified to do this? I’ve held high level engineering roles throughout my career where I’ve been responsible for websites + systems with >1 million user accounts, and everything that goes into that. 1) Use rate limiting, but not just at a cloud level. I’ve seen @jackfriks and a few others struggle with bot attacks. Get a basic @Cloudflare installation up and running, it’s free. If you’re on @vercel, they have a tool natively built in for that vercel.com/guides/add-rat…. This helps prevent things like spammy account sign ups. But, go one step deeper - integrate rate limits in your code. Use session based rate limiting where sensitive actions within your codebase are limited to say 5 attempts every 10 minutes by tracking these attempts in a session. 2) Similar to solving the above problem, use captcha on sensitive areas - such as account creation and sign in. This provides a more reliable way of verifying that the request happening is from an actual human. 3) There’s a million ways of storing data, but regardless of what you’re doing, make sure anything sensitive is encrypted. Things like passwords should be one-way encrypted, meaning even you as the database owner cannot see it. Other things that are less sensitive but still important (e.g. someone's physical address) can still be encrypted at rest, with the option for you to decrypt to reveal that data in a frontend. 4) Never reveal your env variables, store them securely, never commit them to version control, and definitely never share them on X. If for whatever reason you manage to reveal them, immediately revoke every single one of them and start again. Imagine a world where someone has your Stripe keys - they can not only steal your customer data, they could programmatically refund everyone. 5) Don’t install random dependencies and other code packages. Anything dodgy will potentially not only have free reign over your entire codebase, but also your local machine (computer). If you’re using @github, install Dependabot :) 6) 2FA absolutely everything, preferably with app-based 2FA (not SMS). Your domain registrar, hosting login, payment providers, social accounts, the absolute lot. 7) Wanna stop someone from being able to access certain features or content? Don’t just prevent that from happening on the frontend, prevent it in your backend code too. Frontend only blocks are so easy to bypass. 8) Sanitize all user input, trust nothing. SQL injection is kinda a thing of the past, but it’s still possible in today's world and these kinds of attacks give people access to all of your data, including the ability to delete it. I could go on forever, but I think this is enough for now. Any questions? LMK below... 👇

@ThePeterMick Making another free tool... you? Convert form responses to insights CSV → Testimonials CSV → Churn risks CSV → Roadmap cards CSV → Key takeaways magickit.io/forms/summariz…