The Decloak Journal
Stories from around the web security world, plus release notes and changes to Decloak itself.

Every domain accumulates subdomains nobody remembers: old staging environments, abandoned marketing pages, test deployments. Most were never meant to be public, and almost nobody audits them.

Source maps make debugging easier by linking minified code back to the original files. Left enabled in production, they hand an attacker your app's entire uncompiled source, comments and all.

Missing Content-Security-Policy headers show up in the vast majority of the sites we scan. Here's what CSP actually protects against, why it gets skipped, and how to add a working policy without breaking your site.

Row Level Security is off by default in Supabase. That one setting is behind the most common security failure we see in AI-built apps - and it takes about 30 seconds to check whether yours is affected.