Going beyond Google Login for critical apps. Identifying gaps & hardening your entry points.

Published: February 27, 2026

Just AI security audit is not enough.. it misses things.

So had two Claude's go against each other....one hitting my app the other one fixing it. 130 tests across 3 phases.

This is the app that monitors all my databases, servers, deployments. Basically the keys to the kingdom, sitting on the public internet deployed at logs.tigzig.com. I also have client tools deployed on open internet (all with OAuth).

For admin-type apps sitting on the public internet (vs a VPN), OAuth (Google etc) alone isn't enough. So now this app has multiple independent gates.. Cloudflare Turnstile for invisible bot detection, a password gate before you even see the login page, Google OAuth with email whitelist, Google Authenticator MFA, JWT verification on every API call.

DDoS with rotating proxies - my server might remain unavailable for a little while till I turn on the 'under attack' mode in Cloudflare, But my gates won't be breached (hopefully)

More gate security possible? yupp.. but for a tool builder for small businesses, I think this is good enough.

Updated the security checklist to 78 items with all the new patterns. tigzig.com/security