Vibe Coding Security: What AI Gets Wrong About Your App's Safety
"Vibe coding" — using AI tools like Lovable, Bolt, Cursor, Replit, and Base44 to build apps from natural language prompts — is the fastest way to go from idea to production. You describe what you want, and the AI writes the code.
But there's a catch: AI optimises for functionality, not security.
We've analysed hundreds of AI-generated applications across every major vibe coding platform. The patterns are consistent, predictable, and fixable. Here's what you need to know.
The 7 Security Mistakes Every AI Code Generator Makes
1. Hardcoded Secrets in Client-Side Code
This is the most common and most dangerous mistake. AI models routinely place API keys, database connection strings, and third-party service credentials directly in frontend JavaScript.
Why it happens: The AI is trying to make your app work in the fewest steps possible. Moving secrets to environment variables adds complexity.
What we find:
// AI generates this in your React component
const supabase = createClient(
'https://abc123.supabase.co',
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' // ← Your service role key, exposed
);
The risk: Anyone who views your page source can extract these keys and access your database, payment system, or email service directly.
The fix: Use environment variables (process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY) and never expose service_role keys to the client. Only the anon key should be in frontend code.
2. Missing Authentication Middleware
AI-generated apps often have login pages that look correct but don't actually protect routes. The AI creates the UI for auth but skips the middleware that prevents unauthenticated access to protected pages and API endpoints.
What we find:
- Protected pages accessible by typing the URL directly
- API routes that don't verify JWT tokens
- Admin panels with no role-based access control
The fix: Add authentication middleware to every protected route. In Next.js, use middleware.ts. In Supabase Edge Functions, verify the JWT on every request.
3. No Rate Limiting
Zero AI code generators add rate limiting by default. This means:
- Login forms can be brute-forced
- Password reset flows can be spammed
- API endpoints can be abused to rack up your hosting bill
The fix: Use middleware-based rate limiting (e.g., @upstash/ratelimit for Next.js) or configure rate limits in your Supabase project settings.
4. Disabled or Missing Row Level Security
Every vibe coder using Supabase has seen this: the AI creates tables but doesn't enable Row Level Security (RLS). Without RLS, the anon key grants full read/write access to every row in every table.
What we find: Supabase projects where SELECT * from any table returns every user's data — emails, passwords, payment info — all accessible from the browser console.
The fix: Enable RLS on every table and create policies that restrict access based on auth.uid(). See our dedicated guide: How to Secure a Supabase App.
5. Missing Security Headers
AI-generated apps deployed to Vercel, Netlify, or Railway almost never include security headers. These headers are your first line of defence against common web attacks.
What's usually missing:
| Header | Prevents |
|---|---|
Content-Security-Policy |
XSS attacks |
X-Frame-Options |
Clickjacking |
X-Content-Type-Options |
MIME sniffing |
Strict-Transport-Security |
Downgrade attacks |
The fix: Add a vercel.json, netlify.toml, or middleware that sets these headers on every response. Full guide: Security Headers Every Web App Needs.
6. Client-Side Only Validation
AI models love adding form validation in React — required fields, email format checks, password strength meters. But they rarely duplicate that validation server-side.
The risk: Attackers don't use your pretty form. They send raw HTTP requests directly to your API with whatever data they want.
The fix: Validate every input on the server. Use libraries like zod or joi in your API routes and Edge Functions.
7. Overly Permissive CORS
When the AI encounters a CORS error during development, it typically adds Access-Control-Allow-Origin: * — allowing any website to make requests to your API.
The risk: An attacker can create a malicious website that makes authenticated requests to your API using your users' cookies.
The fix: Set CORS to only allow your own domains: Access-Control-Allow-Origin: https://yourdomain.com.
Platform-Specific Issues
Lovable
- Frequently embeds Supabase
service_rolekeys in frontend code - Generated components may use
dangerouslySetInnerHTMLwithout sanitisation - Authentication flows skip session validation on protected routes
Bolt
- Often generates
.envfiles that get committed to public repos - Server functions may not validate request origins
- Dependency versions tend to be outdated
Cursor
- Generates code that's generally more secure than prompt-only tools
- Still skips rate limiting and security headers
- May suggest insecure patterns when prompted broadly
Replit
- Secrets management is available but AI doesn't always use it
- Deployed apps may expose debugging endpoints
- Default CORS configuration is often too permissive
Base44
- Similar patterns to Lovable with Supabase integration
- Auth flows may have incomplete session management
- Generated API routes lack input validation
How to Scan Your Vibe-Coded App
You don't need to be a security expert. You need a tool that understands how AI-generated apps work.
Proveably was built for this. Here's how it works:
- Paste your URL — We scan your live app with 20+ security tools
- Get results in 30 seconds — We check for all 7 issues above plus 50+ more
- Fix with AI — Every finding comes with a code fix you can copy and paste
- Embed a security badge — Show your users you're continuously scanned
Our scanner includes custom vibe code rules — Semgrep rules specifically designed to catch the security patterns AI code generators create.
Don't Let Speed Kill Security
Vibe coding is the future of software development. But "move fast" doesn't have to mean "move recklessly." Take 30 seconds to scan your app. Fix the critical issues. Embed the badge. Ship with confidence.
Related reading: