I've been building VibeSafe — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.
I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.
The results are worse than I expected.
Executive Summary
5 out of 5 apps had security issues. Zero had a Content Security Policy. 33 total findings.
| Severity | Count |
|---|---|
| 🔴 CRITICAL | 6 |
| 🟠 HIGH | 9 |
| 🟡 MEDIUM | 18 |
| TOTAL | 33 |
1. NewMom.help — Bolt + Supabase
Built by a non-technical founder. Maternal health platform. 1M+ impressions at launch.
🔴 CRITICAL — VibeSafe verdict: "Your app is leaking data"
| Category | Status | Detail |
|---|---|---|
| 🔴 Exposed Files | FAIL |
.env and .env.local publicly accessible — anyone can grab credentials |
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo history downloadable |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing — zero XSS protection |
| 🟠 HSTS Header | FAIL | Strict-Transport-Security missing — SSL downgrade possible |
| 🟡 X-Frame-Options | FAIL | Missing — clickjacking vulnerability |
| 🟡 X-Content-Type-Options | FAIL | Missing — MIME-sniffing attacks possible |
| 🟡 Referrer-Policy | FAIL | Missing — referrer leakage |
| 🟡 Auth Rate Limiting | WARN |
/api/auth/login detected — no rate limiting |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
2. Disko.is — Replit + React
SMS loyalty platform with member data. Built by a solo founder in Iceland.
🔴 CRITICAL — Same pattern as NewMom
| Category | Status | Detail |
|---|---|---|
| 🔴 Exposed Files | FAIL |
.env and .env.local publicly accessible |
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo downloadable |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing |
| 🟠 HSTS Header | FAIL | Strict-Transport-Security missing |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 X-Content-Type-Options | FAIL | Missing |
| 🟡 Referrer-Policy | FAIL | Missing |
| 🟡 Auth Rate Limiting | WARN | Auth endpoint without protection |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
3. AltCloud.dev — Lovable + Bolt + Supabase
Built by an experienced CTO. SaaS platform.
🔴 CRITICAL — Git history and server internals exposed
| Category | Status | Detail |
|---|---|---|
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo leaked |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing |
| 🟠 Server Internals | FAIL |
__pycache__/ directory exposed publicly |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 Auth Rate Limiting | WARN | Auth endpoint without rate limiting |
Notable: This was the only app that handled environment variables properly in source code — no committed .env files. But the live site was leaking git history and Python cache directories.
7 issues found (2 critical, 2 high, 2 medium, 1 low)
4. SleepingBaby.info — Cursor + Next.js + MongoDB
Parenting app by a solo developer. Entire app built in 450 tokens.
🟠 HIGH RISK — Best of the bunch, but still gaps
| Category | Status | Detail |
|---|---|---|
| ✅ SSL/TLS | PASS | Valid certificate |
| ✅ .env Files | PASS | No exposed environment files |
| ✅ .git Directory | PASS | Not exposed |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing — zero XSS protection |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 X-Content-Type-Options | FAIL | Missing — MIME-sniffing risk |
| 🟡 Auth Rate Limiting | FAIL |
/api/auth/signin — no rate limiting, brute-force possible |
6 issues found (0 critical, 1 high, 3 medium, 2 low)
5. RemedyHunt.com — Bolt + Supabase + Netlify
Live product on Netlify. Built by a non-technical founder.
🔴 CRITICAL — SSL certificate invalid, browser blocks the site
| Category | Status | Detail |
|---|---|---|
| 🔴 SSL/TLS | FAIL | Certificate is INVALID — certificate verify failed. Browsers show a security warning |
| 🟡 Accessibility | FAIL | Could not check headers — no valid HTTPS connection |
2 issues found (1 critical, 0 high, 1 medium)
The Common Thread
| Issue | Apps Affected |
|---|---|
| ❌ No Content Security Policy (XSS protection) | 5/5 — 100% |
| ❌ No X-Frame-Options (clickjacking) | 5/5 — 100% |
| ❌ No X-Content-Type-Options (MIME sniffing) | 4/5 — 80% |
| ❌ No Referrer-Policy (referrer leakage) | 4/5 — 80% |
| ❌ Auth endpoint without rate limiting | 4/5 — 80% |
| ❌ No or weak HSTS (SSL downgrade) | 3/5 — 60% |
❌ .env or .git/ exposed publicly |
3/5 — 60% |
| ❌ No valid SSL certificate | 1/5 — 20% |
The Good News
Not all vibe-coded apps are insecure. The source code scan found some bright spots:
| Project | Stack | Issues | Notes |
|---|---|---|---|
| Obertura | Vite + TypeScript (chess app) | 0 | ✅ Clean scan. Earned the trust badge |
| Autobot | Node.js CLI + Playwright | 0 | ✅ Clean scan |
| Interior Planner | Next.js + Drizzle + Vercel Blob | 10 | Had proper auth system, env vars, .env.example. Issues were missing route auth — fixable in an afternoon |
Some builders do think about security. But the majority ship fast and find out later.
The Fix
| Problem | Fix | Time |
|---|---|---|
| No CSP | Content-Security-Policy: default-src 'self' |
1 minute |
| No X-Frame-Options | X-Frame-Options: DENY |
1 minute |
| No HSTS | Strict-Transport-Security: max-age=31536000 |
1 minute |
| Exposed .env | Add .env to .gitignore, block at host level |
1 minute |
| Exposed .git | Block /.git/ in hosting config |
1 minute |
| No rate limiting | Add middleware (express-rate-limit, @upstash/ratelimit) | 10 minutes |
That's 15 minutes of work to fix 90% of what we found.
Why This Matters
These aren't weekend experiments. They're live products with real users:
- A maternal health platform with actual mothers depending on it
- An SMS loyalty club with member data
- A parenting app with user accounts
- A SaaS platform
- A production app on Netlify
They're all clickjackable. All have zero XSS protection. Three are leaking credentials to the public internet right now.
Scanned with VibeSafe v1.0. 16 checks: SSL/TLS, security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy), exposed files (.env, .git), CORS, JS bundle secrets, rate limiting. Source code: Trufflehog secrets, Semgrep static analysis, Supabase RLS, Firebase rules, hardcoded credentials, missing auth, Stripe webhook verification, SQL injection.
Top comments (0)