Pilihan
Practical Cybersecurity for Vibe-Coded Apps

Workshop Overview

You have now built your MVP, what's next?

Modern app development has never been faster. With AI-assisted coding, Supabase, Expo, Firebase, and low-code tools, many teams can ship a working product in days — sometimes hours.

However, speed often comes at the cost of security awareness.

This community workshop is designed for founders, indie hackers, and developers building vibe-coded projects who want to understand practical cybersecurity risks and realistic prevention strategies — without enterprise complexity or fear-based messaging.

The focus is on shared learning, real scenarios, and defensive patterns that are appropriate for MVPs and early-stage products.

---

Why This Session Matters

Most early-stage applications are not “hacked” in sophisticated ways.
Instead, they are quietly abused through:

• Hotlinking and asset scraping
• Bot traffic draining storage and egress
• Over-exposed APIs and mismanaged secrets
• Public URLs assumed to be “safe enough”

These issues often surface only after usage increases — typically as unexpected downtime or rising cloud costs.

This session aims to help builders recognize these risks early and apply lightweight but effective protections.

---

Topics We Will Cover

1. Hotlinking and Bandwidth Abuse

• How hotlinking works and why it is commonly overlooked
• Real examples of storage and egress abuse
• Practical mitigation using signed URLs, headers, and CDN controls

2. Securing the Frontend–Backend Communication Path

• What it means when your Supabase or backend URL is public
• What attackers can realistically do with that information
• How to introduce a secured request layer without slowing development
• Common architectural patterns for web and mobile apps

3. API Secrets and Key Management

• Why “not exposing it on the frontend” is often insufficient
• How secrets are extracted from apps in practice
• Safer approaches to handling API keys in modern stacks

4. Obfuscation: Purpose and Limitations

• What obfuscation does and does not protect
• When obfuscation is appropriate for frontend and mobile apps
• How to use obfuscation as a supporting measure, not a primary defense

---

Additional Areas of Discussion (Time Permitting)

Depending on participant interest, we may also explore:

• Bot abuse and automated traffic patterns
• Rate limiting as both a security and cost-control mechanism
• Signed URLs and expiring access strategies
• Mobile application security realities
• Establishing a reasonable security baseline for MVPs

---

Who This Workshop Is For

• Founders preparing to launch or scale an MVP
• Developers using Supabase, and AI-assisted tools
• Indie hackers and small teams seeking practical safeguards
• Anyone who wants to avoid preventable security-related costs

No prior cybersecurity background is required.

---

What You Will Take Away

Participants will leave with:

• A clearer understanding of common attack vectors targeting early-stage apps
• Practical steps to reduce risk without over-engineering
• A security mindset focused on risk reduction and sustainability, not perfection

---

This session is intended to be informative, open, and discussion-friendly, encouraging participants to learn from real examples and from one another.