Lesson 0: Why AI Security and Cost Aren't a 'Later' Problem
In the previous stage you learned to build API routes and wire up AI. But before diving back into code, it's worth pausing: two failure modes are specific to AI features and far sharper than ordinary bugs. An API key that leaks to the client side is visible to anyone who opens DevTools — letting the
Like leaving a tap running overnight — you don't see damage right away, but by morning the house is flooded; an uncontrolled AI call can 'flood' both a security risk and a huge bill before anyone notices.
- Leaked credential
- An API key or access secret accidentally exposed on the client side or in a public repo, letting anyone use it as if they were the owner.
- Prompt injection
- Malicious input crafted so the language model ignores its original instructions and does something else instead — such as exposing another user's data.
- Cost runaway
- A situation where a bug or poor design triggers excessive, repeated AI calls, and spend grows fast with nobody noticing until the invoice arrives.
- Blast radius
- The scope of damage a single failure can cause — how many users, how much data, or how much money is exposed when something goes wrong.