Field notes
War stories and patterns from auditing small web products. No vendor takes, no checklists you've already seen.
Pillar
Your first security audit, if you ship a small web product
What we actually look at in week one, what we ignore, and why most small-product audits waste the first two days on the wrong things.
Cluster — Auth boundaries
The billing endpoint is where IDOR stops being theoretical
A walkthrough of why
?team_id= on the invoice route keeps being the bug that pays for the whole audit.Cluster — Server-side trust
The webhook URL field nobody validates
Three production webhook patterns we keep finding, and the one validation that would have killed all of them.
Cluster — Object storage
Signed URLs aren't a fence
Why presigned S3 URLs leak files even when your bucket policy looks tight, with three patterns from real small-SaaS audits.
Want this lens pointed at your product?
The first heads-up is free. We tell you the top three things to fix and whether a paid audit is even worth it for you.
Request a free check