New attacks every day:
Vercel, Supabase,
Stripe is next.

Vector

Developer ran `git add .` from root directory. The `.env.local` file was not in `.gitignore`. Repository was public. The key was indexed by GitHub code search within minutes.

Impact

Full Stripe account access. Attacker created refunds, listed all customers, and exfiltrated payout history before the key was rotated.

Fix

Add `.env*` (not just `.env`) to `.gitignore` before your first commit. Use Vercel environment variables for production secrets — never a committed file.

.env
.env.local
.env.development.local
.env.test.local
.env.production.local
.env*.local

# Also worth adding
*.pem
*.key

Vector

Supabase project created with Row Level Security disabled on the `users` table. The `SUPABASE_ANON_KEY` was included in the Next.js client bundle (standard practice). Any visitor to the site could run `supabase.from('users').select('*')` from their browser console and retrieve every user record.

Impact

Email addresses, hashed passwords, user metadata, and billing information for all users was publicly readable. The table contained 4,200 rows.

Fix

Enable RLS on every table immediately after creation. Treat the anon key as public — it is. The anon key controls what unauthenticated users can do; RLS policies control what they can see.

-- Enable RLS on the table
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Users can only read their own row
CREATE POLICY "Users can view own data"
ON users FOR SELECT
USING (auth.uid() = id);

-- Block all access by default (anon key gets nothing)
CREATE POLICY "No anon access"
ON users FOR ALL
TO anon
USING (false);

Vector

Standard AI-generated Stripe webhook handler — no signature verification. Endpoint at `/api/webhook` was publicly documented in the app's open-source repo. Attacker constructed a `customer.subscription.updated` event payload with `status: 'active'` and a valid-looking subscription ID. POSTed it directly. Server processed it and upgraded the attacker's free account to the paid plan.

Impact

Attacker obtained paid plan access for free. Attack was scripted and run against multiple accounts using different subscription IDs found in public API responses.

Fix

Always verify Stripe webhook signatures with `stripe.webhooks.constructEvent()`. See the Stripe article in this series for the full implementation.

// Add this before processing any webhook event
const sig = req.headers.get('stripe-signature');
const event = stripe.webhooks.constructEvent(body, sig!, process.env.STRIPE_WEBHOOK_SECRET!);
// If constructEvent throws, the request is not from Stripe

Vector

Developer used Vercel Edge Config to store feature flags, including a `pro_features_enabled` flag per user. The Edge Config read token was included in the client bundle to allow real-time flag reads. An attacker read the token from the bundle, called the Edge Config API directly, and read the flag structure. While they couldn't write to it, the flag keys revealed the exact field names to target in a separate injection attack.

Impact

Read-only access to feature flag configuration. Used as reconnaissance for a follow-on attack that exploited an unprotected API route accepting flag overrides.

Fix

Never include write tokens in client bundles. For feature flag reads from the client, proxy through your API — the client calls your route, your route reads Edge Config with a server-side token.