Quarterly benchmark reports, audit methodology articles, and insights on the state of AI-built software.
Refine scored 38/F on Security Headers. It's a client-side framework with no server. The score is technically correct and completely misleading.
Having a Content-Security-Policy is pointless if it includes unsafe-inline. Most projects that bother with CSP undermine it immediately.
Hoppscotch ships testpass in docker-compose.yml. Trigger.dev puts session secrets in .env.example. These files get copy-pasted to production.
Infisical disables CSP. Immich disables helmet entirely by default. n8n skips HSTS. Installing helmet is not the same as being secure.
Only 6 of 30 benchmarked projects configure HSTS properly. The difference between 'my host does HTTPS' and 'browsers refuse to connect without HTTPS' is one header.
We audited 30 open-source projects. Every single one failed the Permissions-Policy check. Here's what it does and the one-liner fix.
One line of Rails config gives you HTTPS, HSTS, and secure cookies. Here's what the equivalent looks like in Next.js — and why defaults matter more than documentation.
21 out of 30 benchmarked projects have no security.txt. It takes 5 minutes to add and it might be the difference between a responsible disclosure and a public zero-day.
Self-hosted projects score 30-50 points lower on security headers. The gap isn't about code quality — it's about who owns the reverse proxy.
Source maps in production expose your entire codebase to anyone with DevTools. Here's how to check yours in 10 seconds.
Reverse-engineering the highest-scoring Next.js project's security headers configuration. Copy-paste template included.
Supabase and Formbricks scored A's. Five projects scored D's. The pattern: developers handle what they think about and miss everything else.
A step-by-step walkthrough: pick an audit, run it in your AI coding tool, read the results, and submit for benchmarking. Takes about 15 minutes.
8 new audits covering GDPR, CCPA, COPPA, cookie consent, email/SMS rules, FTC compliance, and more. 152 checks to keep your app on the right side of the law.
AuditBuffet organizes 86 audits into 18 packs — 11 by project type, 7 by focus area. Here's how to pick the right ones for your app.
AI coding tools ship fast but skip the fundamentals. Here's what they consistently miss — and how structured audits catch it.