Secure by Default
Security is not a feature you add at the end of a sprint. It is the set of defaults you apply from the first line of code. This course teaches the practical, non-exotic security measures that every production web application needs: HTTPS and TLS, environment variable management, Row Level Security in Supabase, rate limiting, JWT hardening, security headers, and what to do when something goes wrong. No pen-testing, no exotic exploits — just the defensive foundations that prevent 90% of attacks.
What you'll learn
Course outline
Free — no account needed
The Secure by Default Mindset
Deny all, allow explicitly — the design principle that prevents most attacks before they start
HTTPS and TLS — What It Protects and How to Enforce It
Why HTTPS is not optional, what it actually protects, and the two headers that enforce it
Secrets and Environment Variables — The Right Way
The .env pattern, what to expose to the browser, and how to prevent accidental leaks
Full course — $49 one-time
Row Level Security — Database Authorisation at the Data Layer
Supabase RLS: how to ensure users can only access their own data, enforced in the database
Rate Limiting — Brute Force Protection and API Abuse Prevention
How to protect login endpoints, AI calls, and any endpoint that can be abused at scale
Auth Hardening — JWTs, Sessions, and MFA
Making authentication robust: token expiry, rotation, and multi-factor authentication
Security Headers — Configuring the Browser as a Security Layer
CSP, HSTS, X-Frame-Options, and the 10-minute configuration that dramatically reduces attack surface
Logging and Incident Response
Security event logging, anomaly detection, and what to do when something goes wrong
Get the full course
8 lessons — from environment variable basics to production incident response.