I'm not a security person.
I built a small paid SaaS mostly by prompting AI — Cursor and Claude Code doing most of the typing, me steering. It's a tool people pay for, with the payment processor checkout wired in. And right before I opened it up to real users, I got nervous.
Not because anything looked broken. Everything worked. The demo was clean, the checkout went through, the paid features unlocked. That was exactly the problem: it worked, and I couldn't fully read my own codebase to tell whether it was actually safe. "Works" and "safe to put real money and real user data behind" are not the same sentence, and I only half-understood the code standing between them.
So before launch, I sat down and audited it myself — line by line through the parts that could actually hurt me. Here's what I found, including the part that surprised me.
The stuff I was scared of






