Security Engineering

A security professional audits his own code: blog posts leaking private repo names, query-string secrets in browser history, SSRF vectors, and error messages handing attackers the database schema. 19 findings and the journey to fix every one.

I've managed firewalls for years. When it came time to add WAF protection to my own site, I evaluated Cloudflare's free tier against Vercel's built-in WAF. Here's the comparison, the implementation, the config that broke the build, and the curl tests that proved it all works.

I tasked four AI agents with auditing my production site for OWASP vulnerabilities. They found 16 findings, fixed 6, and wrote 37 tests in under 30 minutes. Traditional pentesting may never be the same, but red teamers shouldn't worry.

A red dns_bypass card on my home dashboard sat at 0.667. Closing it took two ZBF rules, a deliberately incomplete remediation on the Default subnet, and a new traffic_rules surface in the chris2ao/unifi-mcp v0.4.0 release. Here is the full walk.

A fourth-party supply-chain breach prompted Vercel to flag nine of my production credentials for rotation out of an abundance of caution. Twenty minutes after reading the disclosure I was rotating keys, and sixty minutes later I had a full audit and a hardened account. Here is how Claude Code turned a day of incident response into an hour, and why the chain that got here should change how you pick vendors.

A pairing/admin-approval privilege escalation CVE hit OpenClaw. My security agent ran a threat hunt, my builder agent implemented a Security Panel on the Mission Control dashboard, and 15 files later the system can see itself. Here is the full story.

How a routine search for blog content tools led to discovering critical security risks in a popular MCP server, and why I built my own secure alternative.