Is HYVE CARES really free?

Yes. 100% free, forever. Every feature, every lab, every lesson. The only paid add-on is the optional Homeschool Compliance Program ($10/month) for families who need legal compliance tools.

Can I use HYVE CARES for homeschooling?

Yes. HYVE CARES provides a complete K-12 curriculum plus a dedicated Homeschool Compliance Program with attendance tracking, immunization records, standardized test management, and transcript generation — available in all 50 US states.

What subjects does HYVE CARES cover?

200+ subjects including Math, Science, Language Arts, Social Studies, Coding, 18 world languages, Financial Literacy, Music, Art, Career Readiness, and more — aligned with Common Core and NGSS standards.

Does HYVE CARES have practice exams?

Yes. 30+ practice exams including SAT, ACT, GRE, LSAT, MCAT, ASVAB, CompTIA A+, Real Estate, CDL, and more — with timed testing, AI-powered scoring, percentile estimates, and spaced repetition study mode.

MaXXiE is HYVE CARES' AI tutoring system — a personalized learning companion that adapts to each student, generates lessons on demand, scans homework, and provides voice-based learning.

Is HYVE CARES safe for children?

Yes. HYVE CARES requires parental consent for children under 13 (in line with COPPA), stores student data with Row-Level Security and AES-256 encryption at rest, and never sells data or shows ads.

Security Basics for Builders

Security is not a feature you add at the end. It is a set of habits you build into every decision — how you handle user input, how you store credentials, how you communicate between services. AI coding assistants often omit security measures, not because they do not know about them, but because security-correct code is longer and the prompt did not ask for it. As the builder, you must know what to demand.

The Most Consequential Vulnerabilities

The OWASP Top 10 is an annually-updated list of the most widespread and dangerous web application security risks. For a builder working with AI-generated code, three categories appear most often and matter most: Injection (particularly SQL injection): this occurs when untrusted user input is included directly in a command or query that is then executed by a database, shell, or other interpreter. A user types '; DROP TABLE users; -- into a search field; the application concatenates that string into a SQL query and runs it. The fix is parameterized queries (also called prepared statements), where user input is passed as a separate parameter — never concatenated into the query string. Broken Authentication: passwords stored as plain text, sessions that never expire, password-reset links that work indefinitely, no rate limiting on login attempts. Any of these allows an attacker to impersonate a user. The fix is using established authentication libraries (not writing your own), hashing passwords with a strong algorithm such as bcrypt or Argon2, and implementing session expiry. Sensitive Data Exposure: secrets (API keys, database credentials, passwords) hardcoded in source code, logged to a console in production, or returned in API responses that do not need them. A repository accidentally pushed to GitHub with an API key embedded is a classic example. The fix is environment variables for all secrets, secret scanning before commits, and minimum-necessary data in API responses.

Injection Is the Number One Vulnerability for a Reason

SQL injection alone has been responsible for some of the largest data breaches in history. The reason it persists is not that developers do not know about it — it is that AI-generated code frequently defaults to string concatenation for queries, and developers accept that code without review. One parameterized query instead of one concatenated string eliminates this entire class of vulnerability.

Additional habits every builder should adopt: Validate on the server, not just the client: a JavaScript validation in the browser is easy to bypass by anyone who knows how to open browser developer tools. Any validation that matters for security must happen on the server — client-side validation is a user-experience convenience only. Principle of least privilege: any component of your system should have the minimum access necessary to do its job. A database user account for your web application probably does not need DROP TABLE privileges. A user-facing API endpoint probably does not need to read the entire users table. Never log secrets: log files persist, are often transmitted, and are sometimes inadvertently exposed. Never log passwords, tokens, API keys, or personally identifiable information that is not essential for debugging. Keep dependencies updated: almost every major dependency vulnerability (a security flaw in a library you use) has a patch available. Running npm audit, pip check, or equivalent regularly and applying updates promptly closes many attack vectors automatically.

Reviewing AI Code for Security

When AI generates code that touches user input, authentication, or data storage, apply this mental checklist: 1. Is any user-supplied value concatenated into a SQL query, shell command, or file path? If yes, replace with parameterized query or input sanitization. 2. Are passwords stored as plain text? If yes, use a cryptographic hash function. 3. Are any secrets (API keys, credentials) hardcoded in the code? If yes, move them to environment variables immediately. 4. Does the code validate input on the server before using it? If no, add validation. 5. Does any response include more data than the caller needs? If yes, filter the response to minimum-necessary fields.

Flashcards — click each card to reveal the answer

AI Does Not Write Secure Code by Default

Multiple independent studies have found that AI-generated code contains security vulnerabilities at a higher rate than carefully-reviewed human-written code. This is not a flaw to wait for a future model version to fix — it is your responsibility to check right now, on every piece of code you integrate.

A web application takes a username from a form and runs this query: 'SELECT * FROM users WHERE name = ' + username. What vulnerability does this create and what is the correct fix?

A developer stores a third-party API key directly in a JavaScript file that is committed to a public GitHub repository. Which security principle does this violate, and what is the immediate risk?

Security Audit Simulation

Step 1: Ask an AI to write a simple login form handler that accepts a username and password and checks them against a database.
Step 2: Review the code using the five-question security checklist from this lesson. Write a finding for each question.
Step 3: Identify the most critical vulnerability. Write one sentence explaining the exact risk it creates for a real user.
Step 4: Describe precisely (without necessarily rewriting the entire function) what change would fix each vulnerability. For the most critical, describe the fix in enough detail that a classmate could implement it.
Step 5: Look up the OWASP Top 10 page online and identify which category your most critical finding belongs to.