Shipping fast feels great—until the hackers show up.

Leo Jr. learned this the hard way. He’s a non-technical indie hacker who built and scaled an app publicly, attracting attention (and revenue) with spicy takes like "AI SaaS won’t work." But the attention didn’t stop at engagement. It made him a target.

Soon after, hackers began probing his app for security flaws. And they found plenty—API keys exposed in the codebase, easily bypassable paywalls, and more. The result? Half the internet was trying to break his app for fun.

This isn’t new. Pieter Levels, Marc Lou—other big names in the indie hacker world have dealt with DDoS attacks and vulnerability exploits after their products blew up. But Leo’s case stands out because he’s not a developer. He vibe-coded his way to success without fully understanding the security side of things.

What Indie Hackers Can Learn

As someone who's also building and shipping apps fast (and not immune to these risks), here are two key takeaways:

1. Hide Your API Keys

Publicly exposed API keys are an open invitation to hackers. Store them securely using environment variables instead of hardcoding them in your codebase. If you’re using Next.js, create a .env.local file and reference the keys like this:

NEXT_PUBLIC_API_KEY=your-key-here

Then access it in your code like this:

const apiKey = process.env.NEXT_PUBLIC_API_KEY;

Simple fix, big impact.

2. Stop Using CSS for Paywalls

CSS-based paywalls (display: none;) are laughably easy to bypass. Instead of relying on front-end styling, enforce the paywall logic on the backend. If that's too complex, a middle-ground solution is to obfuscate the content using Base64 encoding and set up DevTools protection to make it harder to bypass.

3. Securing Webhooks – The Overlooked Weak Spot

Webhooks are essential for automating tasks between apps—but they’re also an easy target for attackers if left unprotected. Here’s how to lock them down:

• Use a Signature and Timestamp – Your webhook’s receiving URL must be public, but you can secure the data using a signature, timestamp, and token to create a hashmap (a key-value store).
• Generate a HMAC Signature – Link the timestamp and token values, encode them using the HMAC algorithm with your ESP’s API key (in SHA256 mode), and compare the result with the signature.
• Reject Duplicate Tokens – Cache the token value locally and reject any request that tries to reuse the same token. This prevents replay attacks where hackers repeat or misdirect the webhook action.

Here’s a quick example in TypeScript for securing webhooks:

import crypto from 'crypto';

const verifyWebhook = (signature: string, timestamp: string, token: string, secret: string) => {  
  const data = `${timestamp}.${token}`;  
  const expectedSignature = crypto  
    .createHmac('sha256', secret)  
    .update(data)  
    .digest('hex');  

  return signature === expectedSignature;  
};

Shipping Fast ≠ Ignoring Security

As an indie maker, I get it—speed matters. But security matters too. Leo’s experience is a reminder that even if you're not a developer, securing your app isn’t optional. Don’t let vibe coding turn into vibe hacking.

I’d love to hear from other makers—how are you balancing speed with security in your builds?

Let’s discuss in the comments.

Hey everyone,

I’ve been building Unrealshot AI – an AI-powered photoshoot generator that creates high-quality portraits from your selfies. No studio, no expensive cameras—just AI doing the work.

I know AI-generated photos can be a hit or miss, and that’s why I’m looking for honest feedback—good, bad, or brutally honest. If you’re up for testing it, I’d love to hear:

• How realistic are the images?
• Was the experience smooth or frustrating?
• What would make it better?

If you’re interested, let me know, and I’ll set up a free account with some credits so you can try it out. Just looking for real, unfiltered opinions!

Drop a comment or DM me if you're in.

Try it here: www.unrealshot.com

Hey, I’m Harvansh. I’m here to share the real, unfiltered journey behind Unrealshot AI. This isn’t a polished pitch—it’s a story of trial, learning, and the moments that changed everything.

Back in 2022, I started out blogging about AI. My WordPress site looked more like a digital mishmash than a professional platform, all thanks to free YouTube tutorials and a lot of DIY spirit. With no budget to hire professionals, I had to become the talent myself—even if it meant patching things together with whatever I had.

In 2023, I dove into building websites for small business owners. I was not only designing and coding but also experimenting with emerging AI tools. I used platforms like ChatGPT and Claude to speed up development, learning on the job and gradually refining my skills in both design and functionality.

Then something transformative happened. Tools like v0, Claude, and ChatGPT weren’t just assistants—they became an extension of my own creativity. I began outsourcing my brain to AI. Instead of starting every project from scratch, these tools handled the heavy lifting, allowing me to focus on what mattered: the vision.

I built countless web apps using these AI tools, each one teaching me new ways to streamline processes and push creative boundaries. This was more than just efficiency—it was a paradigm shift in how I worked and created.

In October ’24, with a solid foundation built on real-world experience and a powerful toolkit of AI, I launched Unrealshot AI. The goal was simple yet ambitious: to create an AI photoshoot generator that’s actually useful.

Unrealshot AI isn’t about canned templates or generic styles. It’s a tool that lets you generate images that capture your true self. By blending my years of photography with the precision of AI, Unrealshot AI offers a way to produce natural, personalized photos that work for both casual use and professional needs.

• Personal Touch: It all started with my own journey in photography and web design. Every feature in Unrealshot AI is designed to reflect that hands-on experience.
• AI-Powered Efficiency: Using advanced AI tools meant that I could focus on creativity while the tech handled the rest.
• Real Results: Unlike other photo generators that produce over-processed images, Unrealshot AI is all about authenticity—capturing genuine expressions and natural lighting.

This journey is far from over. I’m constantly refining Unrealshot AI, listening to user feedback, and exploring new ways to blend art with technology. If you’re curious about how this all works or want to try out a tool that truly understands you, I invite you to check out Unrealshot AI.

Thanks for reading my story—every step of this journey has been about finding real, useful solutions, and I’m excited to see where AI takes us next.