Does the Promptbook replace a pentest?

No. It helps identify signals and organize review. Impact validation, exploitation chain, and fix confirmation stay in the Manual Pentest.

Why is the Manual Pentest not sold through public checkout?

Because scope, authorization, environment, and operational risk need to be evaluated before a proposal.

Cybersecurity

Edge security: get the basics right before the big language

Headers, cookies, cache, logs, and routes are part of the product. Strong security starts in small choices people avoid reviewing.

Gabriel Ferreira

RET TECNOLOGIA EM INFORMÁTICA LTDA

May 04, 20268 min

The edge is part of the product

In a modern SaaS, a lot happens before the app responds: CDN, cache, headers, cookies, redirects, analytics, and API routes. If that layer is loose, the product can look polished and still expose session, data, or internal behavior.

Edge security should answer simple questions:

Do sensitive cookies use HttpOnly, Secure, and the right SameSite?
Do pages with user data avoid public cache?
Does CSP reduce unsafe execution without breaking production?
Do logs remove secrets, tokens, and unnecessary personal data?
Do old routes redirect without ambiguous behavior?

The founder view

The founder does not need to memorize acronyms. They need to know whether the app protects session, billing, and customer data in normal flows and error flows.