InfrastructureMay 21, 20261 min read

The Boring Parts of Shipping Securely

Most security incidents aren't sophisticated. They're a config default nobody revisited.


The security work that prevents incidents is rarely the interesting kind. It's dependency updates, header configuration, and rotating a secret before someone asks whether it's still the one from the demo two years ago.

Defaults are decisions

A surprising number of breaches trace back to a default that was never revisited: a storage bucket left publicly listable, a CORS policy of * that shipped in a hurry and stayed.

export const config = {
  cors: {
    origin: ["https://backviaa.com"], // not "*"
    credentials: true,
  },
};

A short list that covers most of the risk

  • Rotate credentials on a schedule, not just after an incident.
  • Pin dependency versions and review the diff on major bumps — supply chain risk is real, not theoretical.
  • Least-privilege service accounts, checked in code review, not just at provisioning time.

None of this requires a security team. It requires deciding that the boring 80% gets done on a schedule, so the remaining 20% is what your actual security review has time to focus on.

More posts