πŸš€NotElon

How to Secure Your Vibe Coded App

45% of AI-generated code has vulnerabilities. Escape.tech found 2,000+ vulnerabilities in 5,600 vibe-coded apps. This guide shows you exactly what to check and how to fix it.

Scan Your App FreeCompare Scanners
2,000+
Vulnerabilities found
Escape.tech, 5,600 apps
45%
AI code has vulns
Veracode 2025
400
Exposed secrets
Escape.tech 2026
2.74x
More XSS in AI code
CodeRabbit study

What's in this guide

  1. 1. Why vibe coding security matters
  2. 2. The 7 most common vulnerabilities
  3. 3. Step-by-step: secure your app
  4. 4. Complete security checklist
  5. 5. Platform-specific guides (Lovable, Bolt, Cursor, Firebase, Supabase)
  6. 6. FAQ

1. Why Vibe Coding Security Matters

Vibe coding changed who can build software. Lovable processes 200,000 new projects daily. Cursor hit $2.5B ARR. Google AI Studio added full-stack app generation. The barrier to creating software has effectively disappeared.

The barrier to creating secure software has not.

AI coding tools optimize for β€œdoes it work,” not β€œis it safe.” They generate functional code quickly, but that code routinely ships with hardcoded API keys, missing authentication, open database rules, and exposed configuration files. The developer using the tool often doesn't know these problems exist until they're exploited.

This isn't theoretical. Escape.tech scanned 5,600 publicly deployed vibe-coded apps and found over 2,000 vulnerabilities and 400 exposed secrets. Tenzai found 69 vulnerabilities in just 15 apps across 5 AI coding tools. CodeRabbit's analysis of 470 pull requests found AI-assisted code introduces 2.74x more XSS vulnerabilities than human-written code.

The good news: most of these vulnerabilities are fixable. Many are simple configuration issues. You don't need to become a security expert. You need to know what to check.

2. The 7 Most Common Vulnerabilities in Vibe Coded Apps

1

Exposed API Keys and Secrets

Critical

AI tools frequently generate code with hardcoded API keys, database passwords, and authentication tokens directly in source files. When pushed to a public GitHub repo, automated bots can harvest these credentials within minutes.

How to fix:

Store all secrets in environment variables (.env files). Add .env to .gitignore. Use different keys for development and production. Rotate any keys that have been committed to git history.

2

Missing Authentication on Sensitive Routes

Critical

AI generates CRUD endpoints that work perfectly but have no authentication checks. Anyone who discovers the URL can read, modify, or delete data.

How to fix:

Add authentication middleware to all routes that handle user data, payments, or admin functions. Verify tokens server-side, not just client-side.

3

Firebase/Supabase Misconfiguration

Critical

Lovable and Bolt frequently generate Firebase apps with open read/write rules or Supabase databases without Row Level Security. This means anyone can read or modify your entire database.

How to fix:

Enable Firebase security rules that restrict access by user. Enable Supabase RLS on every table. Test by trying to access data without authentication.

4

SQL Injection

High

AI often generates database queries that concatenate user input directly into SQL strings instead of using parameterized queries.

How to fix:

Use parameterized queries or an ORM (like Prisma or Drizzle). Never concatenate user input into SQL strings.

5

Missing Security Headers

Medium

Most vibe-coded apps deploy without Content-Security-Policy, HSTS, X-Frame-Options, or X-Content-Type-Options headers. This leaves them vulnerable to XSS, clickjacking, and MIME sniffing attacks.

How to fix:

Add security headers in your deployment configuration (next.config.js, vercel.json, or server middleware). Use a header checker tool to verify.

6

Exposed Configuration Files

Medium

Deployment misconfigurations can leave .env files, .git directories, or debug endpoints accessible at public URLs.

How to fix:

Configure your web server or platform to block access to dotfiles and configuration directories. Test by trying to access /.env and /.git/config on your live site.

7

Insecure Dependencies

Medium

AI tools often install packages without checking for known vulnerabilities. Outdated or compromised packages in your dependency tree can be exploited.

How to fix:

Run 'npm audit' regularly. Update dependencies promptly. Remove packages you're not using. Consider using 'npm audit fix' for automatic patches.

3. Step-by-Step: Secure Your App in 15 Minutes

1

Scan your source code

~2 min

Go to VibeCheck and paste your GitHub repository URL. The scanner will analyze your code for exposed secrets, missing authentication, database misconfigurations, and more. No signup required.

2

Scan your live site

~2 min

Switch to the "Live Site" tab and enter your deployed URL. This checks security headers, exposed files, CORS configuration, and cookie security on your actual running application.

3

Fix critical issues

~5 min

Start with anything marked Critical (red). For each finding, copy the fix prompt and paste it into your AI coding tool. The AI will generate the fix for you.

4

Fix warnings

~5 min

Address warning-level issues next. These are things like missing security headers or broad CORS policies that aren't immediately exploitable but weaken your security posture.

5

Re-scan and verify

~1 min

Run both scans again to confirm your fixes worked. Aim for a Grade A (90+) score. Share your VibeCheck badge in your README to show your app has been audited.

Start Your Free Scan

4. Complete Vibe Coding Security Checklist

Use this checklist before deploying any vibe-coded app to production. Print it, bookmark it, or screenshot it.

Secrets & API Keys

  • ☐No API keys, tokens, or passwords in source code
  • ☐All secrets stored in environment variables (.env)
  • ☐.env file listed in .gitignore
  • ☐No secrets committed in git history (check with git log)
  • ☐Different API keys for development and production

Authentication & Authorization

  • ☐All sensitive routes require authentication
  • ☐Admin routes have proper role checks
  • ☐Password reset flows use secure tokens
  • ☐Session tokens have expiration times
  • ☐No hardcoded user credentials in code

Database Security

  • ☐Supabase: Row Level Security (RLS) enabled on all tables
  • ☐Firebase: Security rules configured (not open read/write)
  • ☐No raw SQL queries with user input (use parameterized queries)
  • ☐Database connection strings not exposed in client code
  • ☐Backup and recovery plan in place

API & Network Security

  • ☐HTTPS enforced (no HTTP fallback)
  • ☐CORS configured to specific origins (not wildcard *)
  • ☐Rate limiting on public API endpoints
  • ☐Input validation on all user-submitted data
  • ☐Error messages don't expose internal details

Deployment & Headers

  • ☐Content-Security-Policy header set
  • ☐X-Frame-Options header set (prevent clickjacking)
  • ☐X-Content-Type-Options: nosniff
  • ☐Strict-Transport-Security (HSTS) enabled
  • ☐No sensitive files accessible publicly (.env, .git, etc.)

Dependencies & Supply Chain

  • ☐No known vulnerable dependencies (run npm audit)
  • ☐Lock file (package-lock.json) committed
  • ☐Dependencies from trusted sources only
  • ☐Regular dependency updates scheduled
  • ☐No unnecessary packages installed

5. Platform-Specific Security Guides

Lovable

Common issues: 10.3% of apps have critical RLS flaws. Firebase config often exposed in client code. Default Supabase setup lacks row-level security.

Priority fix: Enable Supabase RLS immediately. Check for hardcoded Supabase URLs and anon keys in client bundles.

Bolt.new

Common issues: Rapid deployment means security review often skipped entirely. Environment variables sometimes bundled into client code.

Priority fix: Verify .env files aren't in the build output. Check all API endpoints have authentication.

Cursor

Common issues: Full codebase access means AI may modify security-critical files. Generated test credentials sometimes left in production code.

Priority fix: Review git diff before committing. Search for TODO, FIXME, and test/example credentials.

Firebase

Common issues: Default security rules allow open read/write. Client-side Firebase config is public by design but rules must restrict data access.

Priority fix: Write proper Firestore/RTDB security rules. Test rules in Firebase console emulator. Restrict API key to your domain.

Supabase

Common issues: RLS disabled by default on new tables. Service role key sometimes used client-side. Direct database URLs exposed.

Priority fix: Enable RLS on EVERY table. Only use anon key client-side. Add policies for all CRUD operations.

Next.js

Common issues: API routes created without authentication middleware. Server actions may expose internal logic. next.config.js security headers often missing.

Priority fix: Add auth middleware to API routes. Configure security headers in next.config.js. Use server-only imports for sensitive code.

6. Frequently Asked Questions

Is vibe coding secure?

Not by default. Research shows 45% of AI-generated code contains security vulnerabilities (Veracode 2025). Escape.tech scanned 5,600 vibe-coded apps and found over 2,000 vulnerabilities and 400 exposed secrets. However, vibe-coded apps can be made secure with proper review and scanning.

What are the most common security vulnerabilities in vibe coded apps?

The most common issues are: exposed API keys and secrets in source code, missing authentication on sensitive routes, hardcoded database credentials, missing Row Level Security (RLS) on Supabase databases, Firebase misconfiguration without server-side validation, SQL injection via unsanitized inputs, and missing security headers on deployed sites.

How do I check if my vibe coded app is secure?

Use a vibe coding security scanner like VibeCheck (free, no signup) to scan your GitHub repository for vulnerabilities. You should also scan your deployed URL for missing security headers, exposed files, and CORS misconfigurations. Check our comparison page for a full list of available scanners.

Do I need to know coding to secure a vibe coded app?

No. Tools like VibeCheck explain every finding in plain English and provide copy-paste fix prompts you can give back to your AI coding tool. You don't need to understand the code to fix the issues.

Is Lovable secure? Is Bolt secure? Is Cursor secure?

These tools generate functional code quickly, but security is not their primary focus. Lovable's own data showed 10.3% of apps had critical Row Level Security flaws. The security of the output depends on your prompts and review process. All AI-generated code should be scanned before deploying to production.

What is the biggest security risk in vibe coding?

Exposed secrets (API keys, database passwords, tokens) committed to public GitHub repositories. Escape.tech found 400 exposed secrets across 5,600 vibe-coded apps. Once a secret is in a public repo, bots can harvest it within minutes.

How much does it cost to secure a vibe coded app?

Basic security scanning is free. VibeCheck offers free scanning with no signup required. For most solo founders and side projects, free tools are sufficient. Enterprise-grade solutions like Snyk, Semgrep, or Aikido range from $0 (free tiers) to $100+/month.

Can AI fix the security vulnerabilities it creates?

Yes, in most cases. When a scanner identifies a vulnerability, you can paste the finding and fix suggestion back into your AI coding tool (Cursor, Lovable, Bolt) and it will typically generate the correct fix. VibeCheck provides copy-paste fix prompts specifically designed for this workflow.

Ready to Check Your App?

VibeCheck scans your GitHub repo and deployed URL for security vulnerabilities. Free. No signup. Results in seconds.

Scan Your App FreeGet the Security Playbook ($19)Compare All Scanners