Folks at resend seem too smart to just let anyone with Database credential Access their DB over a API. Even small startups take steps to at least put IP restrictions. Resend should probably share a developer blog detailing what exactly happened and how the hacker navigated - after all they are a open source company.

Clerk also has had security issues a couple of days ago!

Thank you for posting this video. It needs to be shared across the modern development industry!

Completely agree it’s the worst decision to allow to access your db over internet, VPC is a must 👍 btw Amazing video we really love this type of content, it helps us a lot😎🙌

does codedamn uses resend for emails?, and just a friendly request when you explain some concepts like these at 6:40 , plz try to elaborate it a little bit more

Now they've dropped database from production, Can you create a video on this thing, explaining devops side of preventing such incidents

Hey Mehul ! I recently came across your channel. I am still discovering your videos I have a suggestion/ request. Can you do a small or detailed system design sorts of video especially on mess ups like these? I believe it can be helpful in understanding how we can develop applications that are more secure and robust.

Create best security practice playlists, i know u have created but its not completed I believe so😢

Can someone recommend good resources/courses for backend and database security?

Interesting

I read "Not Accessed: No unencrypted tokens" as "No unencrypted tokens accessed." You are correct in reading it the other way, but I don't believe that was the intended meaning. Sometimes people use a double negative for reinforcement instead of mutual negation.

What is your VS code theme?

Mehul , which service you use for your database? And how did you setup your database?

No unencrypted tokens means decrypted token / plain token I guess

you are absoloutely right Mehul sir, it's totally lazy and noobed practice to just use whole database over a api key, even a simple CORS origin restriction would have made it difficult for the attacker to gain access, what i think is, it's the result of youtube culture of learning make this make that, clone of this and that, not providing enough of the basics of settingup a proper project and stilling confidently throwing jargons full-fledge apps and thus creating illusions of production ready apps while not being close to 10% close to production ready apps and also its the fault of startups offering everything in a minute over a click not making madatory setups pre-production app setup, i bet, gave them GCP to setup a simple app in production from cloud DNS, VPC, ip -reservation and all they just gonna waste a week over it. Or they are just too smart and lazy to do that.😂😂.

All this js because of chatgpt, they portray as a AI,but it is not.And forcing developers to include AI in every thing and forcing devepera to compromise on security.

hii! mehul sir I know this comment doesn't come under this video but I got this tricky problem with nextjs do you think you can help me? So basically when i run build with env then all my values get hardcoded and if i run build without env then the process.env.url stays the same but it doesn't read values from .env file even after copying it to standalone output dir of build, i get undeifined. I have a backend code which was running at localhost:8000, so now when i create the nextjs frontend image and nodejs backend image and try to run them on k8s the backend url get changed so because of hardcoded values ,the frontend can't connect to backend now. I can run backend first then get the ip address and build the frontend image accordingly but in future if i make any change to my backend because of which i might get new ip address then again i have to rebuild my frontend image.Then all the cicd, and zero downtime strategy of k8s will be wasted.I tried official and other site but didn't actually helped.Even a short video will be helpful.Thank you.

Would love to see new web security tutorial 😀😀

Eye-opening.

Password should be hashed and salted

Use t3 env for preventing env leak

Mehul Bhaiya Your All Videos are super Awesome, Whether It's in English or In Hindi.❤

few days ago resend had some producion failure.

I am using resend to send Marketing mails and for website api also. 😮‍💨

Very important topic. Thanks @codedamn for sharing