The Boring Parts of Shipping Securely
Most security incidents aren't sophisticated. They're a config default nobody revisited.
The security work that prevents incidents is rarely the interesting kind. It's dependency updates, header configuration, and rotating a secret before someone asks whether it's still the one from the demo two years ago.
Defaults are decisions
A surprising number of breaches trace back to a default that was never revisited: a storage bucket left publicly listable, a CORS policy of * that shipped in a hurry and stayed.
export const config = {
cors: {
origin: ["https://backviaa.com"], // not "*"
credentials: true,
},
};A short list that covers most of the risk
- Rotate credentials on a schedule, not just after an incident.
- Pin dependency versions and review the diff on major bumps — supply chain risk is real, not theoretical.
- Least-privilege service accounts, checked in code review, not just at provisioning time.
None of this requires a security team. It requires deciding that the boring 80% gets done on a schedule, so the remaining 20% is what your actual security review has time to focus on.
More posts
How Postgres Indexes Actually Work
A deep dive into B-tree internals, and why a sequential scan sometimes beats an index you were sure would help.
Why We Moved Off REST
GraphQL solved a real problem for our mobile clients, but it introduced a few we didn't see coming.