Slow (michaelnotebook.com)

412 points by calvinfo 4h ago 104 comments

Releasing open weights for FLUX.1 Krea (krea.ai)

157 points by vmatsiiako 10h ago 61 comments

The anti-abundance critique on housing is wrong (derekthompson.org)

62 points by rbanffy 2h ago 86 comments

QUIC for the kernel (lwn.net)

186 points by Bogdanp 7h ago 137 comments

How was the Universal Pictures 1936 opening logo created? (movies.stackexchange.com)

445 points by azeemba 12h ago 65 comments

I made a website that makes you cry (cryonceaweek.com)

41 points by johnnymaroney 3d ago 25 comments

Ubiquiti launches UniFi OS Server for self-hosting (lazyadmin.nl)

201 points by speckx 8h ago 161 comments

Gemini Embedding: Powering RAG and context engineering (developers.googleblog.com)

144 points by simonpure 7h ago 54 comments

MacBook Pro Insomnia (manuel.bernhardt.io)

284 points by speckx 9h ago 153 comments

"No tax on tips" is an industry plant (newyorker.com)

31 points by littlexsparkee 2h ago 27 comments

Show HN: Mcp-use – Connect any LLM to any MCP (github.com)

83 points by pzullo 7h ago 33 comments

Secure boot certificate rollover is real but probably won't hurt you (mjg59.dreamwidth.org)

89 points by zdw 6h ago 37 comments

Show HN: Sourcebot – Self-hosted Perplexity for your codebase (github.com)

62 points by bshzzle 1d ago 16 comments

I tried Servo (spacebar.news)

309 points by robtherobber 12h ago 202 comments

Introduction to Computer Music (cmtext.com)

240 points by hecanjog 12h ago 67 comments

Many countries that said no to ChatControl in 2024 are now undecided (digitalcourage.social)

293 points by nickslaughter02 11h ago 196 comments

Understanding the Complete Identity Management Ecosystem (guptadeepak.com)

5 points by guptadeepak 38m ago 2 comments

Denver rent is back to 2022 prices after 20k new units hit the market (denverite.com)

132 points by matthest 3h ago 161 comments

Launch HN: Gecko Security (YC F24) – AI That Finds Vulnerabilities in Code

42 points by jjjutla 7h ago 24 comments

Kaizen (YC X25) is hiring engineers to build browser agents that work (kaizenautomation.com)

1 points by michaelssilver 6h ago 0 comments

Crafting your own Static Site Generator using Phoenix (2023) (fly.io)

6 points by Bogdanp 52m ago 0 comments

We revamped our docs for AI-driven development (docs.freestyle.sh)

68 points by benswerd 5d ago 11 comments

Raspberry Pi 5 Gets a MicroSD Express Hat (cnx-software.com)

19 points by geerlingguy 3d ago 8 comments

Carbon Language: An experimental successor to C++ (docs.carbon-lang.dev)

88 points by samuell 9h ago 69 comments

Kaleidos – A portable nuclear microreactor that replaces diesel generators (radiantnuclear.com)

90 points by sparrish 3h ago 115 comments

Show HN: AgentMail – Email infra for AI agents (chat.agentmail.to)

55 points by Haakam21 9h ago 31 comments

Astronomical Telescope “Hadley” – an easy assembly, high performance Newtonian (printables.com)

38 points by yehoshuapw 5h ago 2 comments

AI is a floor raiser, not a ceiling raiser (elroy.bot)

183 points by jjfoooo4 6h ago 125 comments

Face it: you're a crazy person (experimental-history.com)

380 points by surprisetalk 3d ago 240 comments

Ferrari Status (collabfund.com)

50 points by surprisetalk 3d ago 80 comments

Zig Profiling on Apple Silicon (blog.bugsiki.dev)

90 points by signa11 2d ago 22 comments

What is gVisor? (blog.yelinaung.com)

92 points by yla92 10h ago 49 comments

The Chrome Speculation Rules API allows the browser to preload and prerender (docuseal.com)

91 points by amadeuspagel 7h ago 73 comments

Hawaiian petroglyphs reemerge on Oahu's shores after years of being hidden (archaeologymag.com)

5 points by pseudolus 1h ago 0 comments

Benchmarking MicroPython (blog.miguelgrinberg.com)

8 points by ibobev 2h ago 2 comments

Dark patterns (nsw.gov.au)

85 points by ColinWright 10h ago 37 comments

150 years of Hans Christian Andersen (newstatesman.com)

119 points by wholeness 1d ago 39 comments

Ursa: A leaderless, object storage–based alternative to Kafka (streamnative.io)

82 points by netpaladinx 8h ago 29 comments

The Math Is Haunted (overreacted.io)

360 points by danabramov 1d ago 172 comments

Go Assembly Mutation Testing (words.filippo.io)

32 points by Metalnem 6h ago 2 comments

Following Up on the Python JIT (lwn.net)

82 points by Bogdanp 3d ago 40 comments

So you're a manager now (scottkosman.com)

210 points by mooreds 11h ago 151 comments

OpenAI's ChatGPT Agent casually clicks through "I am not a robot" verification (arstechnica.com)

210 points by joak 3d ago 252 comments

Build a confetti bot with a Raspberry Pi (2023) (docs.viam.com)

11 points by hazalmestci 3d ago 1 comments

U.S. senators introduce new pirate site blocking bill, "Block BEARD" (torrentfreak.com)

227 points by HieronymusBosch 8h ago 212 comments

Sumo – Simulation of Urban Mobility (eclipse.dev)

139 points by Stevvo 3d ago 28 comments

Orion Browser (kagi.com)

96 points by gtirloni 9h ago 82 comments

Programmers aren’t so humble anymore, maybe because nobody codes in Perl (wired.com)

49 points by Timothee 2d ago 52 comments

GEPA: Reflective prompt evolution can outperform reinforcement learning (arxiviq.substack.com)

84 points by che_shr_cat 12h ago 21 comments

Recording vintage CRTs with a modern Sony mirrorless camera (jeffgeerling.com)

6 points by ecliptik 3h ago 0 comments

Ask HN: Handling Security as a Solo Dev?

3 cosmic_cheese 4 7/31/2025, 5:46:31 AM

There’s a project that’s been on mind my mind lately. I think I can ship an MVP reasonably quickly, but concerns about security have been holding me back.

There’s so many different ways to screw up, depending on how the app is developed and deployed (an old style VPS deployment is a very different beast than something e.g. deployed on Vercel using S3 and Supabase), and I’m most experienced in mobile client dev (haven’t touched back end since ~2012) which makes for considerable blind spots. I’m aware of basics like not checking in API keys and secrets, but I’m sure there’s a laundry list of things I’m not considering.

What’s the best way to make sure my bases are covered here? It used to be that using well vetted, battle tested tools like up to date Rails w/Devise would take you a long way, is that still true?

Thanks, and apologies if the question is too vague.

Comments (4)

mmarian · 8h ago

Don't try to cover everything. Think about the critical risks for your startup - maybe it's cost-exhaustion attack, maybe it's leaking sensitive personal info, it depends on what you're doing. Then find reasonable protections to put in place for them.

witnessme · 17h ago

Before deployment: Use tools such as codeql, sonarqube, etc. in your CI/CD pipeline. They scan the repo for known patterns and you can design your own patterns to automatically check before anything goes out.

After deployment: There was a post on HN some days back regarding a tool that you can deploy on your machine to check for common misconfigurations and you can potentially scan the logs to discover issues. Also, I have developed an AI agent to act as a penetration tester (without the knowledge of your codebase or internal system) and discover vulnerabilities. I have been improving it since last year and using it to continously pentest my infra. I'm thinking of opening this up for others. Let me know if you need access to this.

justdoitookk · 17h ago

Hehe, We're still actively working on developing the features right now, so we haven't been able to fully address security concerns yet~

chistev · 17h ago

Write tests.