Ship Notes · SN #17·SEP 5, 2026

Security as a habit

Security isn't a phase before launch — it's a set of small defaults you keep. Two notes that prevent most of the painful incidents.

1. Secrets never live in code

An API key in the repo is a breach waiting for a public push. Keep secrets in environment variables and a secrets manager, and rotate anything that leaks the moment you find it — assume it's already been seen.

2. Least privilege by default

Give every service and person the minimum access they need to do the job. When something is compromised — and one day something will be — least privilege is what decides whether it's a scare or a disaster.

Start building with us

Previous issue

SN #16 — Performance users actually feel

Security as a habit

1. Secrets never live in code

2. Least privilege by default

Weekly engineering signal, without the noise.

Security as a habit

1. Secrets never live in code

2. Least privilege by default

Weekly engineering signal, without the noise.