Your AI Wrote the Code.
Did It Write It Safely?
AI tools ship working code fast. They don't reliably ship secure, testable, production-ready code. I review AI-generated Django apps for the vulnerabilities and missing pieces that cause incidents.
Request an Audit →See what's covered ↓
Companies I've Worked With
Trusted by innovative teams and forward-thinking organizations
What the Audit Covers
A systematic review across security, production-readiness, and code quality.
Authentication & Authorization
Every view checked for @login_required, object-level ownership filters, and privilege escalation paths. IDOR vulnerabilities are the most common AI-generated security flaw.
Django Security Settings
DEBUG mode, SECRET_KEY management, ALLOWED_HOSTS, HTTPS settings, CSRF, session security, and security headers. Verified against Django's own --deploy checklist.
Injection & Input Validation
Raw query usage, path traversal in file handlers, template injection, and any use of eval() or unsafe deserialization on user input.
Production Infrastructure
Database engine (SQLite vs PostgreSQL), Gunicorn vs runserver, static/media file setup, environment variable handling, and secret storage.
Test Coverage Assessment
What's tested, what's not, and what must be tested before go-live. Includes a written list of the critical-path tests missing from the codebase.
Code Quality & Maintainability
N+1 query problems, missing indexes, business logic in templates, hardcoded values that belong in settings, and anything a future developer will curse about.
What AI Consistently Gets Wrong
These five vulnerabilities appear in nearly every AI-generated Django app.
Insecure Direct Object References (IDOR)
Views check @login_required but not whose object is being accessed. Any logged-in user can read or modify another user's data by guessing IDs.
Missing Authentication on New Views
AI adds features in isolation. The delete endpoint, the export endpoint, the admin API — added without authentication because it wasn't in the immediate prompt context.
DEBUG = True in Production
The default for development becomes the default for production. Exposes stack traces, database names, file paths, and environment variable values to any visitor.
@csrf_exempt on API Endpoints
AI adds @csrf_exempt to make fetch() calls work. This disables cross-site request forgery protection and exposes state-changing endpoints to attacker-controlled sites.
Path Traversal in File Handling
File download views use user-supplied filenames directly. An attacker passes ../../etc/passwd and reads arbitrary files from the server.
Audit Packages
Fixed price. No hourly surprises. Delivered within 72 hours.
For apps under 1,000 lines of view code. Quick security-only pass.
- Authentication & IDOR audit
- Django
--deploychecklist - Top 5 vulnerabilities report
- Fix recommendations (written)
- Delivered in 24 hrs
Comprehensive review of security, production-readiness, and code quality.
- Everything in Security Scan
- Production infrastructure review
- Test coverage assessment
- Code quality & N+1 review
- 30-min debrief call
- Delivered in 48 hrs
Full audit plus I implement the critical fixes for you.
- Everything in Full Audit
- All critical issues fixed
- Tests written for audited paths
- CI setup (GitHub Actions)
- 60-min handoff call
- Delivered in 72 hrs
How It Works
Submit Your Project
Fill out the project form. Share repo access (private GitHub or zip). I'll confirm scope and start within 24 hours.
Audit & Analysis
I read every view, every model, every settings file. Manual review — not an automated scanner.
Written Report
Prioritized list of issues (Critical / High / Medium / Low) with exact file paths, line numbers, and how to fix each.
Debrief Call
Walk through the report together. You leave knowing what to fix first and why it matters.
Fixes (Audit + Fix tier)
I implement the critical fixes, write tests for the audited paths, and set up CI to catch regressions.
From the Blog
Practical articles on Django, Python, AWS, and software development.
Frequently Asked Questions
Do you need access to my entire codebase?
Yes — a meaningful security audit requires reading the full codebase, not just selected files. You can share via private GitHub repo (I'll be added as a collaborator and removed after delivery) or a zip file. I sign NDAs before starting.
What if I used Cursor, Copilot, or Claude to write the code?
It doesn't matter which AI tool generated the code. The vulnerabilities are consistent across all of them — the five bugs I listed above appear regardless of which model or tool was used.
My app isn't Django — can you still audit it?
The Security Scan and Full Audit packages are designed for Django/Python. For FastAPI, Flask, or non-Python frameworks, contact me and we can discuss a custom scope.
How is this different from running an automated scanner?
Automated scanners (Bandit, Semgrep, OWASP ZAP) catch pattern-matching issues. They miss IDOR — the most common AI-generated vulnerability — because IDOR requires understanding business logic, not just code patterns. Manual review is the only way to catch it.
What if I don't have any tests at all?
The Full Audit includes a test coverage assessment that tells you which critical paths need tests before go-live. The Audit + Fix tier includes actually writing those tests. Zero tests is not unusual for AI-built apps — it's one of the main things I help fix.
Know What You're Shipping Before You Ship It
Most security incidents in small apps are preventable. A 48-hour review costs far less than the first incident — in engineer time, customer trust, or regulatory exposure.
Request an Audit →