Hamilton Ridley Consulting

Field Notes · Vol. 02

Security & Redundancy
For New Builders · 2026

A short guide

The boring stuff that saves the project.

Daniel Kemp·Published May 4, 2026·9 min read

Building features is the fun part. Protecting them is the unsexy part — and it's the difference between a project that lasts five years and a project that ends in a 2 a.m. apology email. The same four-lane structure applies: secrets, access, backups, recovery. Get a basic answer in each lane and you've covered ~90% of the ways new developers actually get burned.

Read this twice

The #1 way new developers get burned is committing a .env file to a public GitHub repo. Bots scan new commits within minutes — your Stripe key, OpenAI key, or DB password is harvested before you've finished pushing. Add .env to .gitignore on day one, no exceptions.

Lane 01

Secrets

API keys, passwords, tokens

Lane 02

Access

Who can do what

Lane 03

Backups

Copies you can't lose

Lane 04

Recovery

Knowing it broke, getting back

§ 01

The four lanes

Lane 01

Secrets

API keys, passwords, tokens, service-role keys. The strings that, if leaked, give a stranger your wallet or your data.

What changes between optionsHow easy it is for a future you (tired, in a hurry) to leak something. Better tools make the safe path the path of least resistance.

.env + .gitignore

The minimum. Local dev only. Never commit, never share over Slack.

Host env vars

Vercel/Netlify/Linode dashboards. Where production secrets actually belong.

GitHub secret scanning

Free. Catches leaks at push and auto-revokes via providers like Stripe.

1Password / Doppler

Shared team vaults. Worth it once more than one person needs the same key.

Lane 02

Access

Who is allowed to do what once a request reaches your app. Login, permissions, rate limits, input validation — the bouncer at every door.

What changes between optionsWhere the check happens. Client-side checks are decoration; the real enforcement has to live on the server or the database.

Auth.js / Clerk

Server-side login. Email, OAuth, magic links. Don't roll your own.

Supabase RLS

Database-level rules. The only way browser apps stay safe with a public key.

Rate limiting

Upstash, Cloudflare, Vercel. Stops bots and runaway AI bills cold.

Zod / Pydantic

Validate every input. The cheapest way to block injection attacks.

Lane 03

Backups

Copies of anything you can't afford to recreate. Code, database, uploaded files, configuration. The 3-2-1 rule still applies: three copies, two media, one offsite.

What changes between optionsHow fast you need to recover. "Last night" is fine for a contractor's CRM. "Last 5 minutes" is needed for anything taking payments.

GitHub (code)

If it's pushed, it's backed up. Push at the end of every session.

Supabase auto-backups

Daily on free tier, point-in-time on paid. On by default — verify it.

Host snapshots

Linode/DO weekly snapshots. ~$2/mo. Restores a whole server in minutes.

Offsite (S3 / B2)

Cron-job a DB dump to a different provider. Cheap insurance against vendor failure.

Lane 04

Recovery

Knowing something broke, and getting back online fast. Monitoring, alerts, rollback, runbooks. The difference between a 5-minute hiccup and a Monday-morning crisis.

What changes between optionsWho finds out first. The goal is always: you before your client. Hosts give you the rollback button; monitoring tools tell you to push it.

Host rollback

Vercel "Promote previous." Replit revision history. Know where the button is.

Sentry

Free tier. Catches errors in production with the stack trace and user.

Healthchecks.io

Pings you when a scheduled job doesn't run. Silent failure killer.

Uptime monitoring

UptimeRobot, BetterStack. Confirms the site is actually up. Free tier is enough.

§ 02

The same three projects, through a security lens

Project A

Contractor lead form

Public landing page. No logins, no sensitive data, no payments. Form submissions email the owner. Worst-case downtime is "missed a few leads for a day."

Low risk · low effort

01 · Secrets

.env + scanning

.env in .gitignore, only the Resend API key. Turn on GitHub secret scanning (default for public). Done in 60 seconds.

02 · Access

Rate limit only

No login needed. Cloudflare or Vercel rate limit by IP. Stops form-spam without a database.

03 · Backups

GitHub is enough

No DB. The code is the project. If you can re-deploy in 10 minutes, you don't need more.

04 · Recovery

One-click rollback

Vercel/Replit instant rollback to any prior deploy. That's the entire recovery plan, and it's enough.

Project B

Multi-user CRM

Eight team members logged in daily. Customer data, job notes, schedules. Real revenue runs through it. A leak or a downtime means real, contractual problems.

Real money on the line

01 · Secrets

Vercel env + rotation

Production keys live in Vercel, never in the repo. Service-role key never touches the browser. Rotate quarterly.

02 · Access

RLS + Auth.js + Zod

Supabase RLS on every table — opt-in is the wrong default. Auth.js for login. Zod-validate every server route. Three layers, three failure modes.

03 · Backups

Supabase + offsite

Daily auto-backup, plus a weekly DB dump to Backblaze B2. If Supabase has a bad day, you still have your customers' data.

04 · Recovery

Sentry + Vercel

Sentry pages you on errors. Vercel preview URLs let you test fixes before promoting. You hear about the bug before the client does.

Project C

Nightly automation

Runs unattended at 2 a.m. Pulls from four APIs, transforms data, sends a report. If it silently fails for three nights, someone makes a bad call on Thursday.

Silent failures = bad decisions

01 · Secrets

systemd env file

/etc/myapp/env, chmod 600, root-only. Rotated 2×/year. No keys in the repo, no keys in shell history.

02 · Access

SSH keys + ufw

No password auth, no public web UI. Firewall closes everything except SSH. The smaller the attack surface, the smaller the worry.

03 · Backups

SQLite → B2 nightly

Cron job: copy the SQLite file, gzip, push to Backblaze with rclone. 30 days of history for under $1/month.

04 · Recovery

Healthchecks.io

The job pings on success. If the ping doesn't arrive in the expected window, you get an SMS. Catches the silent failure mode that ruins this kind of project.

The shortest possible advice

Assume something will break, and decide ahead of time who finds out and how fast.

Every protection in this guide answers one of three questions: what's the worst case?, how do I find out?, and how fast can I undo it? Spend ten minutes per project writing those down. The answers shape every choice above and turn "vibe coder" into someone a paying client can trust.

Worst case?

Walk through the failure modes that actually matter to this project. A leaked AI key, a deleted database, a hacked admin account. Most projects only need protection against two or three.

How do I find out?

The goal is to know before the client does. A free Sentry account, an UptimeRobot ping, a Healthchecks.io heartbeat — pick the one that fits the project shape and wire it up.

How fast can I undo it?

Practice the rollback once before you need it. Click the Vercel "Promote previous" button on a Tuesday afternoon, not a Saturday at midnight. You'll be glad you did.

Field Notes Subscribers

Vol. 04 covers working with AI agents productively.

Subscribe to get future volumes as they ship — when to switch models, when to start a new conversation, the productivity habits that actually move the needle. One email per release.