I've been building ratecalc.fyi — a free sponsorship rate calculator for UGC creators — for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code.
It found 6 issues. I fixed all of them in one session.
Here's exactly what was wrong and how I fixed it.
What is gstack /cso?
gstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase.
You run it with one command:
Load gstack. Run /cso
The 6 vulnerabilities
After
_ADMIN_PASS = os.getenv("ADMIN_PASS", "changeme").encode()
What I learned
Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users.
The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now.
The repo: ratecalc.fyi is live. Free calculator, no signup required.
More...
It found 6 issues. I fixed all of them in one session.
Here's exactly what was wrong and how I fixed it.
What is gstack /cso?
gstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase.
You run it with one command:
Load gstack. Run /cso
The 6 vulnerabilities
- 🔴 CRITICAL — Admin password in git history
My admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history.
Fix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed.
python# Before
_ADMIN_PASS = b"hardcoded_password_here"
After
_ADMIN_PASS = os.getenv("ADMIN_PASS", "changeme").encode()
- 🔴 HIGH — User emails committed to git
My SQLite database file (notify.db) containing user emails was committed to the repo.
Fix: git rm --cached notify.db, scrubbed from all history, added to .gitignore. - 🔴 HIGH — Webhook auth bypass
The LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY_WEBHOOK_SECRET wasn't set — meaning anyone could POST fake payment events and get free Pro access.
Fix: App now raises on startup if the secret is missing. Fail closed, not fail open. - 🔴 HIGH — Admin fallback password
Admin panel fell back to "changeme" if ADMIN_PASS env var wasn't set.
Fix: Same pattern — startup raises if env var missing. - 🟡 MEDIUM — Rate limit bypass
The calculator rate limit read IP from X-Forwarded-For header, which any client can spoof.
Fix: Changed to request.client.host — not spoofable at transport layer. - 🟡 MEDIUM — Missing security headers
CSP and HSTS headers were absent.
Fix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware.
What I learned
Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users.
The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now.
The repo: ratecalc.fyi is live. Free calculator, no signup required.
More...