Find The Safest Next Step

Use this after an AI-generated change lands so the reviewer focuses on correctness, security, edge cases, and misleading tests.

Working With AI Tools · Review

Learn why PHP powers 40% of the web — WordPress, Laravel, and the legacy codebase reality that every developer should understand.

Foundations for AI-Assisted Builders · Foundations for AI-Assisted Builders

A stage-two reality check: where AI genuinely accelerates you, where it creates false confidence, and what breaks as scope grows.

Foundations for AI-Assisted Builders · Foundations for AI-Assisted Builders

Prompts for tightening requests, reviewing diffs, and debugging without letting the agent thrash.

23 prompts · Featured: Review The Diff

OWASP, supply chain attacks, infrastructure security, and AI-specific risks.

Guild Member · 20 lessons

The critical security knowledge every AI-assisted builder needs before shipping anything to real users.

Guild Member · 28 lessons

PCI DSS, HIPAA, pen testing, and ethical hacking. The compliance knowledge that separates amateurs from professionals.

Guild Member · 15 lessons

OAuth flows, JWTs, federated identity, and the identity providers that power modern apps.

Guild Member · 15 lessons

In 2025, researchers scanned 20,000 vibe-coded apps and found 11% were leaking database access — most because Row Level Security was never turned on. Here's what RLS is, why AI coding tools miss it, and how to fix it in under ten minutes.

Track: security · Mar 25, 2026

Your audit tool came back clean. You still got owned. That's the brutal reality of npm supply chain attacks — where the package itself is the weapon, and it strikes before you run a single line of your own code.

Track: security · Apr 2, 2026

Your AI coding assistant built your Supabase tables fast. It probably skipped Row Level Security entirely. Here's the exact prompt that generates correct, production-ready RLS policies for any table you have — plus the anti-prompt that produces policies that look right but leave your data wide open.

Track: prompts · Mar 28, 2026

Security checked at launch decays the moment you ship your next feature. A 50-minute monthly audit -- covering dependencies, access controls, secrets, logging, and infrastructure -- is the habit that keeps vibe-built apps safe long after go-live.

Track: security · Apr 13, 2026

Your AI coding assistant just recommended a package that doesn't exist. An attacker already registered it with malware inside. This is slopsquatting — the threat born from AI hallucinations — and it's actively targeting vibe coders right now.

Track: security · Apr 3, 2026

You've built something with AI assistance. It works. Users love it. But is it safe? In this guide, Tom Hundley walks through eight free security scanning tools — Semgrep, Bandit, ESLint security plugins, npm audit, pip-audit, Trivy, TruffleHog/Gitleaks, and OWASP ZAP — with exact install and run commands for each. Run these today before your next deployment.

Track: security · Apr 5, 2026

Hundreds of Supabase projects have had their entire databases exposed through a single misconfiguration: Row Level Security left disabled. This checklist walks you through every critical security setting -- from RLS policies to service role key hygiene to storage bucket access -- so your app is hardened before it matters.

Track: security · Apr 11, 2026

Model Context Protocol (MCP) lets your AI assistant reach into your databases, email, GitHub, and Slack -- but every new connection is a new attack surface. Real incidents in 2025 showed that a single malicious prompt embedded in a support ticket or a webpage can silently redirect an AI agent to exfiltrate your credentials. Here is what vibe coders need to know before they wire up their next integration.

Track: security · Apr 9, 2026