Background
Some flaws can't be patched — they're built into the design. A password-reset flow with no rate limiting. A checkout that trusts the price the browser sends.
Questions to ask yourself
- Before we built the site, did anyone do threat modelling?
- Did we test rapid password resets, brute-force logins, repeated card attempts?
- Are limits in place on logins, password resets, account creation?
- Does the system trust data the browser sends?
What you can do today
Three design questions
Ask before the code is written.
- 01For new applications, ask: “What did you think about misuse before features?”
- 02Run a five-minute “what would I try as an attacker?” exercise.
- 03Add rate limiting on failed logins, password resets, account creation, contact forms.