Security Fundamentals
The fundamentals every builder should know · encryption, passwords, DNS, compliance, accessibility, and how security scanning works under the hood.
- How SimplyScan Protects Your Data: SOC 2 Compliant Processes · SimplyScan runs entirely on SOC 2 Type 2, ISO 27001:2022, and GDPR certified infrastructure (certifications held by our providers, not Kraftwire Software directly). Scan data is encrypted with AES-256 at rest and TLS 1.3 in transit, row-level security isolates each user's results, and Pro-scan source code is processed in memory, never stored.
- Row Level Security (RLS) Policies Explained for Beginners · Row-Level Security (RLS) is a PostgreSQL feature that makes the database itself enforce which rows each user can read or modify, using policies like auth.uid() = user_id. In Supabase apps the frontend talks directly to the database, so RLS is the only thing protecting your data · 38% of AI-built apps get it wrong.
- GitHub Repo Scanning: Why URL Scans Aren't Enough · URL scans only see your deployed frontend. Repository scanning analyzes the source: backend code, config files, dependencies, and every commit in git history, where deleted secrets still live. Bots exploit keys pushed to public GitHub within minutes, so scan the repo for leaked credentials, insecure code patterns, and vulnerable packages before launch.
- How to Read Your SimplyScan Security Report · A SimplyScan report is a prioritized action list · a 0 to 100 security score, findings grouped into categories (3 on free, 14 on Pro), and four severity levels from critical to low. Fix exposed secrets immediately, authentication and injection issues within the week, then headers and configuration, and rescan after deploying to verify each fix.
- Free vs Pro Scan: What's the Difference? · SimplyScan's free scan covers the three highest-impact categories · exposed secrets, frontend security headers, and Supabase misconfigurations · with full findings and fixes, no paywall. Pro expands to 14 categories and 51+ checks, adding auth, authorization, injection, CSRF, dependencies, AI security, and a PDF report. Upgrade once your app handles real user data.
- SimplyScan vs Built-In Platform Security: What Lovable, Cursor, Bolt, Replit & Windsurf Actually Check · Built-in platform security is partial at best: Lovable checks secrets, dependencies, and Supabase RLS but skips 10 categories; Replit adds SAST and dependency scanning; Bolt runs basic pre-deploy audits; Cursor and Windsurf have no code scanner at all. SimplyScan covers 13 categories and 40+ checks on any deployed app, filling the gaps every platform leaves.
- How to Secure a SaaS App: Complete Security Guide · Securing a SaaS app starts with tenant isolation: enforce tenant_id scoping with row-level security so no customer can ever see another's data. Add verified email plus MFA authentication, rate-limited and validated APIs, server-side payment processing with webhook signature checks, encryption in transit and at rest, and audit logging for incident response.
- SimplyScan vs Penetration Testing: When You Need Each · SimplyScan and penetration testing are complementary. Automated scanning delivers results in minutes, runs on every deploy, and catches common issues like exposed keys and missing headers for a fraction of the cost. Pen tests ($5,000 to $50,000, one to four weeks) find business logic flaws scanners miss. Scan continuously · add an annual pen test once you handle sensitive data.
- Can ChatGPT and Claude Find Your App? A Guide to AEO · Answer Engine Optimization (AEO) determines whether ChatGPT, Claude, Perplexity, and Google's AI Overviews can crawl, understand, and cite your app. Most vibe-coded apps fail by blocking AI crawlers in robots.txt or serving JavaScript-only shells. Fix it by allowing GPTBot and ClaudeBot, serving real HTML, and adding llms.txt plus JSON-LD structured data.
- 60 Free Security & Developer Tools Every Vibe Coder Should Bookmark · Sixty free, no-signup tools cover the security gaps AI app generators leave behind: live checks for SSL, security headers, DNS, CORS, and exposed .env files, browser-local utilities like a JWT debugger and secret scanner, plus generators, converters, and SEO and AI visibility checks. Each takes seconds · run the live checks after every deploy.
- How to Check if a Website Is Secure: A 10-Minute Audit · To check if a website is secure, run five free passive checks: confirm HTTP redirects to a valid HTTPS certificate with TLS 1.2+, verify security headers like CSP and HSTS, scan for exposed .env and .git files, check SPF, DKIM, and DMARC records, and look for a public status page. The whole audit takes about ten minutes.
- How to Create Strong Passwords · What Actually Gets Cracked in 2026 · To create strong passwords, use a password manager filled with long random strings, then guard it with one memorized passphrase of five or more random words plus MFA. Length beats complexity · sixteen random characters vastly outclass eight with forced symbols, because clever substitutions like P@ssw0rd1! are the first patterns cracking rigs try.
- DNS Records Explained: A, CNAME, MX, TXT, NS and CAA for App Builders · DNS records tell the internet where your app loads, where your email lands, and who may issue certificates for your domain. A and AAAA map names to addresses, CNAME aliases them, MX routes mail, TXT carries SPF, DKIM and DMARC, NS delegates control, and CAA restricts certificate issuance · audit all six regularly.
- WCAG Color Contrast: The Accessibility Check That's Also the Law · WCAG requires a 4.5:1 contrast ratio for normal text and 3:1 for large text and UI components, measured by relative luminance. Since the European Accessibility Act and US ADA case law, those numbers carry legal weight. Fix failing palettes by darkening lightness only · hue barely affects the ratio · and verify each pair in a contrast checker.
- Meta Tags for SEO: The Tags That Matter in 2026 (and the Ones That Don't) · Seven meta tags still matter in 2026: title (a real ranking signal, about 60 characters), meta description (click-through copy, not a ranking factor), canonical, robots, Open Graph and Twitter Cards, plus the viewport/charset baseline · with JSON-LD structured data layered on top. Meta keywords has been ignored by Google since 2009 · delete it.
- AES-256 and TLS 1.3 Explained · How Your Data Is Actually Protected · AES-256 encrypts data at rest: stored database files and backups become unreadable ciphertext, with no practical attack demonstrated in 20+ years. TLS 1.3 encrypts data in transit with mandatory forward secrecy and no legacy ciphers. Neither protects application logic · missing access controls and leaked API keys need a security scan.
- How the SimplyScan Engine Delivers Consistent Results · The SimplyScan Engine keeps scores consistent by separating detection from explanation · deterministic analyzers detect issues and compute the score with fixed weights, so the same site always gets the same number, while AI is limited to explanations, fix prompts, and semantic findings that never move the score.
Browse other categories: Platform Security Guides · Vulnerabilities & Fixes · Database & API Security · Security Checklists · Comparisons & Reviews · Speed & Performance · AI Coding Security
All security guides