Terminal / Blog
$ tail -f /var/log/steelsuit/updates.log
Lovable Security: What CVE-2025-48757 Taught Us and How to Check Your App
The defining Lovable security issue was CVE-2025-48757 — a missing Supabase Row Level Security policy that let anyone read or write the database of generated apps. Here's what happened and how to check yours.
How to Add a GitHub Actions Security Scan to Your CI/CD Pipeline
Add an automated GitHub Actions security scan to your CI/CD pipeline: a copy-pasteable workflow that runs an external security check before deploy and can fail the build on high or critical findings.
Continuous Security Monitoring: Why One Scan Is Never Enough
Continuous security monitoring catches what a one-time scan can't: SSL certificate expiry monitoring, new subdomains, header drift, and fresh CVEs. Here's how to set up continuous vulnerability scanning.
Node.js Security Best Practices for a Deployed App and API
A practical guide to Node.js security best practices for production: dependency hygiene, secrets, Helmet headers, TLS, validation, rate limiting, CORS, and how to verify it externally.
Subdomain Takeover: How It Happens, How to Detect It, and How to Fix It
A subdomain takeover lets an attacker serve their own content on your domain via a dangling DNS record. Here is how to find subdomains, run a subdomain takeover checker, and prevent it.
CORS Misconfiguration: How to Test and Fix a Permissive CORS Policy
What a CORS misconfiguration is, how to test whether your API reflects arbitrary origins with a CORS checker (and a one-line curl test), and exactly how to fix a permissive cross-origin policy.
DAST Explained: What Dynamic Application Security Testing Catches (and How It Differs From SAST)
What is DAST? A plain-English guide to dynamic application security testing — what a DAST scan finds, how it differs from SAST, where automated DAST fits, and when you still need a manual web app pentest.
SPF, DKIM, and DMARC Explained: How to Check and Fix Email Authentication
What SPF, DKIM, and DMARC do, how to check your records, and how to fix the common gaps — including the dangerous p=none policy and the SPF 10-lookup limit.
Supabase Security: What an External Scan Can (and Cannot) Tell You
An honest guide to Supabase security: why the anon key is safe but the service-role key is not, what Row Level Security actually protects, and what an external scan can verify from the outside.
How to Read a Vulnerability Scan Report (and Actually Use It)
A vulnerability scan report turns raw scanner output into prioritized, fixable findings. Learn what every good vulnerability scan report contains and how to read one.
Next.js Security Headers: A Copy-Pasteable Setup and Verification Guide
How to configure Next.js security headers — HSTS, CSP, X-Frame-Options, and more — using next.config.js, plus how to verify them with a security headers checker.
How to Find Exposed API Keys on Your Website (and What to Do)
If your API key leaked in JavaScript or an .env file is public, here is how to check whether secrets are exposed in your frontend code — and exactly how to respond.
Vibe Coding Security: A Practical Guide to AI-Generated Code Risks
A grounded guide to vibe coding security: the common vulnerabilities in AI generated code (exposed secrets, missing auth, weak headers, permissive CORS) and how to catch them.
The Pre-Launch Web Application Security Checklist (And How to Verify Each Item)
A practical web application security checklist developers can run through before shipping — TLS, headers, secrets, exposed paths, dependencies, DNS/email auth, and monitoring.