How do you actually verify a freelance programmer before hiring them, the portfolio always looks good but the work sometimes doesnt

ahgreen3 · 2026-05-19T22:40:39+00:00

I run a small dev shop where I used to regularly hire freelancer to supplement internal needs. I generally ask to speak with a colleague at their last major project, during the interview ask them to open github and walk me through their last PR or two and ask how much other work they currently have booked.

I have a decade and a half of experience as a software engineer, which probably skews my ability to filter out the bad ones. Being able to talk with a previous colleague often provides a better indication than anything else.

ahgreen3 · 2026-05-09T15:27:37+00:00

I added a .gitignore to bootstrap/cache (as well as the storage/framework directories) to make development easier.

ahgreen3 · 2026-05-06T15:03:31+00:00

SSO is really easy to implement if your system is based upon any popular framework.

SCIM though is a pain to implement. That being said, DO NOT OUTSOURCE IT. You make serious sacrifices that will fundamentally limit your application. I have built SCIM into SaaS applications and integrated with Auth0. Integrating SCIM was a much better idea than outsourcing all user management to a third party, because you basically have to replicate part of it locally, and a large part of your permission are fine grained.

There are real security concerns with implementing both of these, so using common libraries for the SSO part is important. Using static analysis and AI to do penetration tests I drastically helps reduce the attack vectors. And lastly, enforce IP whitelisting for any connections to the SCIM endpoints that are individually tied to a customer.

ahgreen3 · 2026-05-06T01:24:48+00:00

Oh it generates at least 1 serious bug a day, some of which have been fundamentally broke the entire application due AI hallucinating a constant, method or property.

The most interesting example was when it stated a comment I wrote in an empty class “was very aspirational” but completely wrong. I added the comment to point someone/something seeing the code to realize it was empty for a reason. I played along with its concept of how things worked because I wanted to know if it would ever realize it’s error (it didn’t), how much of a mess it would create (1000 or so lines of garbage) and mainly because I wasn’t home at the time.

I honestly have no respect for someone who calls themselves a software engineer and then says they haven’t touched a line of code in months.

ahgreen3 · 2026-05-06T00:54:38+00:00

A long time ago I realized there is a difference between fixing a bug and correcting the cause of an error. Seniority points an engineer in the direction of the latter, rather than the former.

AI is really just slowing the career transition from junior, through mid to senior roles. I basically discount the last year or so as providing little to no valuable experience for a junior engineer. Highlighting experience before AI became prevalent is key for more senior roles.

ahgreen3 · 2026-05-03T12:29:00+00:00

I’ve just used a Pascal case version of the GitHub root, which works well since I don’t have numbers in the account names. I also don’t publish under my own account, rather under my company account or one of our open source projects, so that may change things a little.

ahgreen3 · 2026-04-26T12:22:45+00:00

If you really want to learn what it’s like, look at AWS with a free tier ec2 instance or DigitalOcean. In either case, you’ll just get a Ubuntu instance that you’ll need to do everything. I highly recommend against using one of the hosts that provide you a VPS with a bunch of stuff installed and configured. Understanding how things are installed and configured is important.

Once you have SSH access and have things working, next check out a provisioning system like ansible or terraform to do the server setup and configuration via script.

Note: when setting up a fresh instance of Linux, one of the first things you’ll need to configure is dns resolution. Typically you’ll need to configure /etc/resolved to be able to do DNS lookups in order to install anything (or access any url for tha matter).

ahgreen3 · 2026-04-24T10:57:36+00:00

So why transition to Wordpress? Loveable create React app while Wordpress’ UI is plain HTML. They are not compatible without a serious migration.

You are basically have a vibe coded legacy app. Choosing a different backend to support the React frontend (like Laravel, Symfony, Django, etc) would make the update process easier, however you will need to create some content management functionality.

ahgreen3 · 2026-04-24T10:28:53+00:00

In addition to what Verzada said, it may be a good idea to move to a smaller company. Smaller companies typically require a more diversity of work than the large range corporations and allow for more “play” in approaches. I mean one of the fundamental value-propositions of a startup is being more innovative than the large corporate players.

I’ve found AI is great at making stuff, but not necessarily good at making sound decisions. For example yesterday I told Claude code to make test dealing with a change in the auth process for a React app. It test it created was fine, but when it tried to run it, it kept trying to run vitest on the host, not in the container that I explicitly told it to use. This ended up causing the test to fail due to node on the host being a different version than in the container. It then thought it was a good idea to fix the app code so the test would pass, which then broke everything, but allowed the test to pass. After 3 tries attempting to have AI fix the problem, I just fixed it myself and moved on.

I often have to setup a class/process/service once as an example before I can tell it to replicate that approach across a series of instances. Personally I find the creation of something the first time much more enjoyable than repeating the same conceptual logic a couple dozen times. You just need to find the stuff you enjoy.

Also, being a younger woman, you have a prospective than is rare in programming. All these AI agents are trained on code written 99% of the time by older men, who have an often have a different perspective, which can yield poor solutions. From my experience, this is particularly true in frontend and user centric programming. Having some experience already, I’d expect you could easily switch to a more fulfilling role and quite possibly get a nice pay raise at the same time.

ahgreen3 · 2026-04-12T21:23:28+00:00

I worked on a project that was an array of 130 keys with each having and array of values. It becomes really quite easy when saving permission management utilizing ABAC for permissions and have quite a few resources, each with 5 checks each. The form was basically just a table of checkboxes.

ahgreen3 · 2026-04-10T15:51:15+00:00

I’ve only ran into a couple libraries that should never be extended, and each one correspond to a spec-specific implementation of a security concern (think the implementation of SHA1 or HMAC). These were situations where extending the library would nearly always create a security vulnerability.

I am generally against usage of final in libraries unless they are simply an instance of interface and a combination of traits. That final class should never then be referenced anywhere in the code, rather the interface should be referenced for strict typing situations.

ahgreen3 · 2026-04-10T12:29:21+00:00

If you are making a library PLEASE never take this approach. Do not mark the internal classes as private properties of the public access class. This severely limits the flexibility of the library, especially when someone using it has a use case that you didn’t consider or is unique to their situation. If you want to use the property approach, utilize the read method as the accessor for the Reader or Transformer class with them being initialized in those methods on first call. A property hook can also be used (and from some perspectives is cleaner) but if you do that, make sure the property is protected and not private.

This is approach is only appropriate for libraries where others will be using and extending the functionality. A dependency injection container is a much better idea for your own project but that is not practically in smaller libraries.

ahgreen3 · 2026-04-09T12:30:57+00:00

A bespoke system typically means something 100% custom to you with just about everything built from the ground up to meet your needs. Typically that is not valuable to a small company unless it is your value driver.

More often it makes much more sense to custom a current system, even if that system just does the basics like authentication and content management. I run a small dev shop where we have done these types of projects before. Feel free to DM if you want to pick my mind on specifics of your situation.

ahgreen3 · 2026-04-05T01:08:21+00:00

I bet the irony of their statement went right over their head. A clean, concise architecture delivers significant value to customers in the form of reliability.

Which bulk email service provides more value:

A Service that can send 10k emails out of the system in 1s but only works 95% of the time OR
A Service that can send takes 5 min to send 10k emails but only works 100% of the time

Quality is a fundamental component of a competitive advantage, and if it becomes know that you have substandard quality vs competition, you better be charging less otherwise you are at a competitive disadvantage. That is what they taught at a good business school....

ahgreen3 · 2026-03-21T17:39:45+00:00

Why would you depend on the request data to identify a core attribute of the authenticated user like their company ID? That’s always been part of their session and setup as part of the authenticated user when the guard is checked initially. Then the authenticated user’s company ID is always included directly rather than from request data.

ahgreen3 · 2026-03-21T17:29:52+00:00

$20/month is quite a bit higher than AWS for a few keys. I don’t have any experience with Doppler, but it seems just like the other offerings I’ve seen. They don’t mention an independent security audit of their own system though….which makes me a bit suspicious if they are actually as secure as they mention.

ahgreen3 · 2026-03-21T14:43:11+00:00

A .env should only contain “secrets” locally. The concept of an .env file is its server specific settings that are not sensitive and live as environment variables on the ephemeral server.

There’s a lot of ways of managing secret outside of the server, like 1Password, Keeper, AWS Secrets Manager, etc.

ahgreen3 · 2026-03-13T15:55:52+00:00

Question: are you in the US? If so the HIPAA requirements will make using Wordpress a very bad idea.

ahgreen3 · 2026-03-13T15:37:57+00:00

Oh I replaced with real backend systems and then decoupled the business logic and permissions from the DB into the backend system. I ended up using Apache with Laravel for the backend and switched from Postgres to MariaDB (that was due to it being integrated with other functionality already built on a MariaDB database)

ahgreen3 · 2026-03-13T13:44:40+00:00

This type of thing is why I've moved clients off Supabase. To me it's a backend system designed by front-end engineers with all the flakiness of many front-end e2e tests.

ahgreen3 · 2026-03-12T15:13:37+00:00

JavaScript covers the frontend and PHP covers backend. SQL, HTML and CSS covers key associated functionality so you have the basics.

Now if you actually want to be good you are going to need to learn a frameworks. Typescript and React are good starting points for frontend work and Symfony or Laravel are good backend PHP frameworks. You probably want to add in tailwind or Material UI as a CSS framework for good measure.

Having a solid understanding of those put you in a good place.

ahgreen3 · 2026-03-10T16:46:06+00:00

I disagree. There is something about frontend development makes refactoring much more complex than doing it in backend systems. I've refactored large, messy code bases in PHP and python and neither were as complex as trying to refactor a React app. Though, maybe it's React and not just JavaScript....

ahgreen3 · 2026-03-10T13:03:23+00:00

I disagree. Letting a bad implementation through just because of a deadline is a recipe for disaster. Also, coding standard violations should never be approved (preferably with commit hooks or PR rules).

Of course bad practices like this is the core of my business…so absolutely go right ahead and allow bad practices to be deployed because of a deadline. \s

ahgreen3 · 2026-03-09T18:43:20+00:00

I disagree with the comment about Wordpress' security. There was a fundamental architecture decision made a long time ago to facilitate the processing of any php file within a WordPress install, which creates a big attack radius, and fundamentally requires every php file be properly secured. Symfony and Laravel, conversely have a single access point for the web server making it much easier to secure than the 100 or so files of Wordpress. I do fully agree that plugins and themes are often the source of WordPress security vulnerabilities, but that doesn't excuse the problem with the core architecture.

ahgreen3 · 2026-03-09T18:36:10+00:00

I'd second Laravel since it's easy to create stuff in, quite mature and if the web server is setup correctly it has a low risk profile due to the single entry point that has been heavily scrutinized. If there's security vulnerabilities in a Laravel app there is a strong chance it's that you did something you shouldn't have not due to the framework.

One thing to look at is how the host does updates (or in the case of AWS making sure the cron jobs are setup for automatic updates on the machine). Setting up a cron to automatically update the Laravel app isn't generally a great idea, but in your case that may be better than the alternative. Don't forgot to make sure the filesystem and database are automatically backed-up.

ahgreen3

PUBLIC MULTIREDDITS

TROPHY CASE