Field notes from the walls.
Security, SEO & AEO guides for developers who ship with AI — and want to ship safe.
Troja vs. checkvibe: the closest scanner comparison (2026)
checkvibe pioneered security + SEO + AEO scanning with AI fix prompts and a 7-engine matrix. Troja matches it and adds connected deep-stack scans. The honest comparison.
ReadTroja vs. Fixnx: which AI website scanner should you use?
Fixnx runs 100+ AI-powered security, SEO and speed checks with credit-pack pricing. Troja adds AEO, connected deep-stack scans and per-finding AI fixes. Compared.
ReadTroja vs. CyScan.io: recon tool vs. fix-it scanner
CyScan.io is a free attack-surface recon scanner — endpoints, subdomains, fuzzing, screenshots. Troja is a fix-and-ship scanner with AI fixes, AEO and deep-stack scans.
ReadTroja vs. Dr URLs: website health vs. AI-native scanner
Dr URLs runs 200+ SEO, security, performance and accessibility checks with monitoring. Troja adds AEO, AI fix prompts and connected deep-stack scans. The comparison.
ReadTroja vs. OffURL: which website security scanner wins?
OffURL runs 150+ no-signup security checks with CVE lookup and threat intel. Troja adds AEO, connected deep-stack scans and AI fixes. Here's the honest comparison.
ReadTroja vs. SiteShield: developer scanner vs. agency platform
SiteShield is an agency-grade audit with AEO, GEO, accessibility and ESG. Troja is a developer-first scanner with AI fix prompts and connected deep-stack scans. Compared.
ReadTroja vs. checkvibe, OffURL, Fixnx, SiteShield, CyScan, Dr URLs
An honest, feature-by-feature comparison of Troja vs. checkvibe, OffURL, Fixnx, SiteShield, CyScan.io and Dr URLs — security, SEO, AEO, AI fixes and price.
ReadHow to Check if ChatGPT Can See Your Website (and Fix It if It Can't)
Most sites are accidentally invisible to AI answer engines. Here's how to test whether ChatGPT can actually fetch your pages — and the three-line fixes when it can't.
ReadSEO vs AEO: What Actually Changes When AI Answers the Query
Ranking #1 doesn't matter if the AI answers before anyone scrolls. Here's the concrete difference between optimizing for results pages and optimizing for the answer itself.
ReadWhat Is AEO? Answer Engine Optimization, Explained for 2026
AEO is the discipline of getting cited inside AI answers instead of just ranked on a results page. Here's how answer engines actually read your site — and how to be the source they quote.
ReadCSRF Protection: The Complete Guide for Modern Web Apps
CSRF still bites apps that lean entirely on cookies for auth. Here's how the attack works, why SameSite isn't a complete fix, and how to defend with tokens, headers, and double-submit.
ReadIs Your AI Code Secure? A Security Audit Guide for Cursor & Copilot Projects
AI assistants write plausible code fast — including plausible vulnerabilities. Here's a systematic audit for the specific mistakes Cursor, Copilot, and Claude tend to ship.
ReadFirebase Security Rules: 8 Common Mistakes That Expose Your Data
Firebase puts your database one rule away from the public internet. Here are the eight Security Rules mistakes that leak user data — and the correct patterns for each.
ReadHow to Check If Your Website Is Secure (5-Minute Guide)
A fast, do-it-yourself pass over the security basics every site should get right — TLS, headers, exposed files, and cookie flags — with the exact commands to check each.
ReadJWT Security: 7 Common Mistakes That Let Attackers In
JWTs are easy to use and easy to misuse. Here are the seven mistakes — from the alg:none bypass to storing tokens in localStorage — that turn your auth into an open door.
ReadSaaS Security Checklist Before Launch: The MVP Guide
Shipping your MVP this week? Run this pragmatic, prioritized security pass first — covering auth, multi-tenancy, secrets, payments, and the few headers that actually matter.
ReadSupabase Security Checklist: 15 Things to Check Before Launch
Supabase exposes your Postgres database to the browser. That's powerful — and dangerous if RLS is off. Here are 15 concrete checks, with real policies, before you go live.
ReadVercel Deployment Security: The Production Checklist for Next.js
Vercel makes deploying trivial — and makes a few security footguns trivial too. Here's the production checklist: env scoping, headers, preview protection, and the bundle leak everyone hits.
ReadHow to Secure Your Vibe-Coded App: A Developer's Guide
You vibe-coded an app and it works. Now make sure it's not leaking. A practical, end-to-end security pass for apps built mostly by an AI agent — without slowing you down.
ReadFree Website Security Scan: What It Checks and Why You Need One
What does a free security scan actually look at, what can't it find, and how do you act on the results? A straight explanation of automated scanning and where it fits.
ReadNext.js Security Best Practices: 10 Things Most Developers Miss
Next.js is secure by default — until you reach for client components, route handlers, and middleware. Here are ten places the framework's footguns hide, with the correct patterns.
ReadVibe Coding Security Risks: What AI-Generated Code Gets Wrong
AI writes code that runs, looks right, and passes review — while quietly reproducing the most common vulnerabilities. Here's what AI-generated code gets wrong, and why.
ReadOWASP Top 10 for Indie Hackers: A No-Nonsense Guide
The OWASP Top 10 without the enterprise jargon. Each category explained for a solo dev shipping a SaaS — what it is, how it bites you, and the one fix that matters.
ReadBest Website Security Scanners in 2026: Troja vs OWASP ZAP vs Snyk vs Burp Suite
A practical comparison of four very different tools — Troja, OWASP ZAP, Snyk, and Burp Suite — what each is actually for, and how to pick the right one for your stack.
ReadHow to Secure Your Next.js + Supabase App: A Complete Security Checklist
The Next.js + Supabase stack is fast to ship and easy to leak. This end-to-end checklist covers RLS, the anon vs service key, auth, headers, and the bundle — with real code.
Read