Block the most common automated attacks - shippingszn launch readiness
There are a handful of attacks that bots constantly run against every site on the internet. They have ugly names — XSS, SQL injection, CSRF — but the idea is simple: they trick your app into running code or queries it shouldn't. Modern frameworks have built-in defenses; you just have to use them correctly.
These bots don't care who you are. They scan the entire internet looking for sites that forgot to defend. If yours is one of those, your data ends up dumped on a forum, your users get hijacked, and you find out by reading about yourself online.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- Never paste user input directly into a database query. Use the safe parameterized version your framework provides (your AI builder knows how — ask it).
- Never paste user input directly into HTML you display to other users. Frameworks like React handle this safely by default — don't disable that behavior.
- Add a Content Security Policy header (your AI builder can set this up in one prompt) that tells browsers what code they're allowed to run.
- Use anti-CSRF tokens on forms that change data, if your auth provider doesn't already handle them.
- Ask your AI builder: "audit my app for XSS, SQL injection, and CSRF vulnerabilities and fix any you find."
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/common-attacks/