developers do(but honestly devs are much more rarely do these mistakes)
non-devs have no idea about security at all, except that they need login page lol