Info
These are my notes/highlights from WebDevCody’s video on how blindly trusting AI (cursor) generated code for his side project lead to a subscriber of his sending him his API_KEY in an email and a notice that his project is exploitable.
AI is dumb and bad at security. If you use AI ask it very targeted questions about specific things. Asking it generically “any security issues?” won’t cut it.
Some questions to ask it:
- Is there a lack of input validation?
- Is there any potential for open redirects?
- Is there any potential for SQL injection?
- Is any sensitive information being logged out?
- Should rate limiting be added to prevent abuse?
- Is there potential for XSRF?