← Build Journal

Build Notes · 2026-05-10

Why I Fixed Security Before Anything Else

The week I stopped building features and started fixing the doors I'd left open.

What I found

An independent audit found problems I didn't want to hear about. Path traversal — someone could read server files through the asset route. Cross-site scripting — raw HTML rendered in dashboard fields. No CSRF protection. No rate limiting on login.

None of these had been exploited. But the moment I shared the URL with someone, they could have been.

What I did about it

I spent a full week doing nothing but security fixes. Path traversal blocked with canonical path validation. All dashboard output escaped. CSRF tokens on every form. Rate limiting on login. Security headers on every response. Proper CORS rules instead of a wildcard.

It wasn't glamorous work. Nobody on Twitter would care. But it was the right work.

The principle

Trust is a product feature. You can't ask someone to log in to your dashboard, approve content, and connect their payment details if you haven't locked the doors first.

For anyone building in public

Fix security before you share the URL. Not after. Not when you have time. Before. It's the least exciting week of building and the most important one.

securitytrustproduction

Want more like this?

Start with the free AI business guide, or explore the full library.

Get the free guide → Back to journal →