Serverless & Cloud

Serverless functions without a configured timeout can be kept running indefinitely by malicious or malformed requests, draining your budget.

Giving serverless functions or services more IAM permissions than they need turns a minor breach into a full account compromise.

Logging process.env dumps all your secrets — API keys, database passwords, signing keys — directly into your log system.

Serverless functions reuse execution environments between invocations, so sensitive files written to /tmp can be read by later requests from different users.

Global variables in serverless functions persist across invocations in the same execution environment, leaking user data between requests.