<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>The Full Stack CISO</title><description>The Full Stack CISO: essays on shipping secure software, from a security leader who still writes the code.</description><link>https://thefullstackciso.com/</link><language>en-us</language><item><title>The free-tier trap: the cache that almost DoS&apos;d my own app</title><link>https://thefullstackciso.com/posts/free-tier-trap/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/free-tier-trap/</guid><description>I added a cache to save money. It nearly took the app down, and the alert looked like an attack. A postmortem on reading the fine print.</description><pubDate>Sun, 28 Jun 2026 00:00:00 GMT</pubDate><category>Incident</category><category>cloudflare</category><category>postmortem</category><category>cost</category><category>kv</category></item><item><title>Your CAPTCHA is free (and other Cloudflare cost myths)</title><link>https://thefullstackciso.com/posts/captcha-is-free/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/captcha-is-free/</guid><description>Turnstile is genuinely unlimited and free. The catch isn’t the price — it’s knowing where your bill actually comes from.</description><pubDate>Sun, 21 Jun 2026 00:00:00 GMT</pubDate><category>Strategy</category><category>cloudflare</category><category>turnstile</category><category>cost</category><category>bots</category></item><item><title>Defend the wallet, not just the data</title><link>https://thefullstackciso.com/posts/defend-the-wallet/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/defend-the-wallet/</guid><description>Cost is a security property. Map the surfaces that spend money, then cap every one of them — and prove the cap actually caps.</description><pubDate>Sun, 14 Jun 2026 00:00:00 GMT</pubDate><category>Leadership</category><category>cost</category><category>rate-limiting</category><category>abuse</category></item><item><title>The security fixes I deliberately did NOT ship</title><link>https://thefullstackciso.com/posts/fixes-i-didnt-ship/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/fixes-i-didnt-ship/</guid><description>Restraint is a senior skill nobody blogs about. Three hardening ideas that were correct in theory and would have broken production.</description><pubDate>Sun, 07 Jun 2026 00:00:00 GMT</pubDate><category>Practice</category><category>tradeoffs</category><category>production</category><category>restraint</category></item><item><title>A $0 SIEM-lite: pg_cron + Cloudflare GraphQL + Resend</title><link>https://thefullstackciso.com/posts/zero-dollar-siem/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/zero-dollar-siem/</guid><description>You do not need an enterprise logging tier to know when something is off. Three free parts, wired into a daily report and an hourly alarm.</description><pubDate>Sun, 31 May 2026 00:00:00 GMT</pubDate><category>Engineering</category><category>monitoring</category><category>pg_cron</category><category>cloudflare</category><category>resend</category></item><item><title>OTP-only auth: when the email IS the identity</title><link>https://thefullstackciso.com/posts/otp-only-auth/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/otp-only-auth/</guid><description>A one-time code stops password theft. It does not stop disposable inboxes from farming accounts — each one with a fresh set of cost caps.</description><pubDate>Sun, 24 May 2026 00:00:00 GMT</pubDate><category>Supply chain</category><category>auth</category><category>otp</category><category>abuse</category><category>fail-open</category></item><item><title>Defense in depth on a nonprofit budget</title><link>https://thefullstackciso.com/posts/defense-in-depth-nonprofit/</link><guid isPermaLink="true">https://thefullstackciso.com/posts/defense-in-depth-nonprofit/</guid><description>The full free-tier security map — and the one architectural fact that reorders every priority on it.</description><pubDate>Sun, 17 May 2026 00:00:00 GMT</pubDate><category>Leadership</category><category>architecture</category><category>defense-in-depth</category><category>cloudflare</category><category>supabase</category></item></channel></rss>