<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: kg8888</title>
    <description>The latest articles on DEV Community by kg8888 (@amrakg93).</description>
    <link>https://dev.to/amrakg93</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3990125%2Fda87ede8-1e83-498d-a10a-169eb86ee456.png</url>
      <title>DEV Community: kg8888</title>
      <link>https://dev.to/amrakg93</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/amrakg93"/>
    <language>en</language>
    <item>
      <title>I Built a Security Scanner for AI Apps — Then I Ran It on My Own Site</title>
      <dc:creator>kg8888</dc:creator>
      <pubDate>Sun, 05 Jul 2026 17:50:08 +0000</pubDate>
      <link>https://dev.to/amrakg93/i-built-a-security-scanner-for-ai-apps-then-i-ran-it-on-my-own-site-b9n</link>
      <guid>https://dev.to/amrakg93/i-built-a-security-scanner-for-ai-apps-then-i-ran-it-on-my-own-site-b9n</guid>
      <description>&lt;p&gt;I built &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;VibeSafe&lt;/a&gt; — a 24-check security scanner for apps made with AI coding tools (Cursor, Lovable, Bolt, v0, Replit).&lt;/p&gt;

&lt;p&gt;The idea came from a pattern I kept seeing: AI tools produce code that &lt;em&gt;works&lt;/em&gt;, but rarely code that's &lt;em&gt;secure&lt;/em&gt;. Hardcoded API keys, disabled Row Level Security, missing CSP headers, exposed &lt;code&gt;.env&lt;/code&gt; files. Same issues, different apps.&lt;/p&gt;

&lt;p&gt;Before writing a line of scanner code, I manually audited 5 real vibe-coded apps:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;5/5 had at least one critical vulnerability&lt;/li&gt;
&lt;li&gt;3/5 had exposed API keys in frontend JavaScript&lt;/li&gt;
&lt;li&gt;4/5 had Row Level Security completely disabled&lt;/li&gt;
&lt;li&gt;1/5 had their entire database publicly readable&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Every founder was shocked. None of them knew.&lt;/p&gt;

&lt;p&gt;The Dogfood Test&lt;/p&gt;

&lt;p&gt;So I built the scanner — 24 checks across pre-launch source code and post-launch live URLs.&lt;/p&gt;

&lt;p&gt;Then I ran it on my own site. The worst possible outcome:&lt;/p&gt;

&lt;p&gt;Zero issues. Clean scan. Trust badge earned.&lt;/p&gt;

&lt;p&gt;Not because I'm a security expert. Because I built the scanner to catch exactly what I knew AI tools get wrong — and I fixed each issue before shipping.&lt;/p&gt;

&lt;p&gt;What the Scanner Checks (24 total)&lt;/p&gt;

&lt;p&gt;Pre-launch (10 checks — source code):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Exposed secrets, SQL injection, Supabase RLS, Firebase rules&lt;/li&gt;
&lt;li&gt;Hardcoded credentials, unprotected API routes, Stripe webhook verification&lt;/li&gt;
&lt;li&gt;Dependency CVE audit, DB config exposure&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Post-launch (14 checks — live URL):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;SSL/TLS, security headers, exposed files, JS bundle secrets&lt;/li&gt;
&lt;li&gt;CORS, rate limiting, data breach check, source map exposure&lt;/li&gt;
&lt;li&gt;Cookie security, robots.txt analysis, subdomain discovery&lt;/li&gt;
&lt;li&gt;Supply chain / SBOM check, trust badge&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Why I'm Posting This&lt;/p&gt;

&lt;p&gt;I'm running a &lt;em&gt;launch week&lt;/em&gt;. Everything is 40% off with code &lt;code&gt;LAUNCH40&lt;/code&gt;:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Product&lt;/th&gt;
&lt;th&gt;Regular&lt;/th&gt;
&lt;th&gt;Launch Price&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Post-Launch Scan (14 URL checks)&lt;/td&gt;
&lt;td&gt;$19&lt;/td&gt;
&lt;td&gt;$11&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pre-Launch Audit (10 repo checks)&lt;/td&gt;
&lt;td&gt;$39&lt;/td&gt;
&lt;td&gt;$23&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Full Bundle (all 24 checks)&lt;/td&gt;
&lt;td&gt;$49&lt;/td&gt;
&lt;td&gt;$29&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Continuous Protection (weekly)&lt;/td&gt;
&lt;td&gt;$39/mo&lt;/td&gt;
&lt;td&gt;$23/mo&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;One-time pricing, plain-English reports with exact fixes.&lt;/p&gt;

&lt;p&gt;→ &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;vibesafe.store&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;Quick check for your own codebase:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s2"&gt;"eyJ"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.js"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.ts"&lt;/span&gt; &lt;span class="nb"&gt;.&lt;/span&gt;     finds JWT tokens
&lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s2"&gt;"api_key&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;password&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;secret"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.js"&lt;/span&gt; .finds hardcoded creds
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You might be surprised what you find.&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>webdev</category>
      <category>programming</category>
    </item>
    <item>
      <title>Why Most SaaS Referral Programs Fail (And What to Do About It)</title>
      <dc:creator>kg8888</dc:creator>
      <pubDate>Thu, 02 Jul 2026 11:55:40 +0000</pubDate>
      <link>https://dev.to/amrakg93/why-most-saas-referral-programs-fail-and-what-to-do-about-it-2h8g</link>
      <guid>https://dev.to/amrakg93/why-most-saas-referral-programs-fail-and-what-to-do-about-it-2h8g</guid>
      <description>&lt;p&gt;Every SaaS founder knows word-of-mouth is the cheapest, highest-converting channel. Happy customers tell other founders. A single recommendation can bring in a customer who stays for years.&lt;/p&gt;

&lt;p&gt;Yet most referral programs never take off.&lt;/p&gt;

&lt;p&gt;Not because the idea is wrong — but because the execution is too heavy. You need unique tracking links, click counting, conversion attribution, payout logic, a UI for users to generate their own links, and a way to verify that each referral actually turned into a paying customer. That's weeks of engineering time — time most early-stage teams don't have.&lt;/p&gt;

&lt;p&gt;What if the plumbing already existed?&lt;/p&gt;

&lt;p&gt;I've been working on a small open-source project called RefLinkGen that takes a different approach. Instead of building another dashboard that sits alongside your Stripe account, it works through Stripe. When someone refers a friend, the system creates a real Stripe promotion code. When the friend checks out and applies that code, Stripe records the discount — and a webhook tells the system to credit the referrer.&lt;/p&gt;

&lt;p&gt;The entire loop looks like this:&lt;/p&gt;

&lt;p&gt;User shares a link.&lt;br&gt;
Friend clicks it and goes to checkout with a promo code.&lt;br&gt;
Stripe handles the discount. The system handles the attribution.&lt;br&gt;
No manual coupon creation. No separate payment processing. No reconciling spreadsheets at the end of the month.&lt;/p&gt;

&lt;p&gt;Who benefits from this?&lt;/p&gt;

&lt;p&gt;Indie hackers and solo founders – You have product-market fit but no time to build a referral system from scratch. Two lines of embed code and you're live.&lt;br&gt;
Small SaaS teams – You want a measurable growth loop that your team can track without adding a new tool to your stack.&lt;br&gt;
Product managers testing growth channels – You need an API you can call programmatically, not a feature request that takes three sprints.&lt;br&gt;
Anyone selling through Stripe – If your payment flow already runs on Stripe, adding referral tracking becomes a configuration step, not a project.&lt;br&gt;
Why this matters for growth&lt;/p&gt;

&lt;p&gt;Most referral tools charge a percentage of your revenue or a monthly fee that's higher than your current MRR. When you're pre-revenue or early-stage, that cost kills the experiment before it starts.&lt;/p&gt;

&lt;p&gt;The alternative has always been "build it yourself" — which means time away from your product.&lt;/p&gt;

&lt;p&gt;A lightweight, self-hostable, Stripe-native approach removes both barriers. You can test whether referrals work for your audience without committing engineering resources or a monthly budget. And if the channel proves itself, you scale it — on your own terms.&lt;/p&gt;

&lt;p&gt;No lock-in. No revenue share. Just a tool that does one thing: turn happy customers into a reliable acquisition channel.&lt;/p&gt;

&lt;p&gt;I wrote more about the build process and the design decisions on my GitHub . If you've been thinking about adding a referral program but haven't found the time, it's worth a look.&lt;/p&gt;

</description>
      <category>marketing</category>
      <category>opensource</category>
      <category>saas</category>
      <category>showdev</category>
    </item>
    <item>
      <title>I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here's What I Found</title>
      <dc:creator>kg8888</dc:creator>
      <pubDate>Tue, 23 Jun 2026 12:22:27 +0000</pubDate>
      <link>https://dev.to/amrakg93/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found-4a04</link>
      <guid>https://dev.to/amrakg93/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found-4a04</guid>
      <description>&lt;p&gt;I've been building &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;VibeSafe&lt;/a&gt; — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.&lt;/p&gt;

&lt;p&gt;I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.&lt;/p&gt;

&lt;p&gt;The results are worse than I expected.&lt;/p&gt;




&lt;h2&gt;
  
  
  Executive Summary
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;5 out of 5 apps had security issues.&lt;/strong&gt; Zero had a Content Security Policy. 33 total findings.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;th&gt;Count&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 CRITICAL&lt;/td&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 HIGH&lt;/td&gt;
&lt;td&gt;9&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 MEDIUM&lt;/td&gt;
&lt;td&gt;18&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;TOTAL&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;33&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  1. NewMom.help — Bolt + Supabase
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;Built by a non-technical founder. Maternal health platform. 1M+ impressions at launch.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🔴 CRITICAL — VibeSafe verdict: "Your app is leaking data"&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Exposed Files&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;.env&lt;/code&gt; and &lt;code&gt;.env.local&lt;/code&gt; publicly accessible — anyone can grab credentials&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Source Control&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;/.git/&lt;/code&gt; exposed — full repo history downloadable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 CSP Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Content-Security-Policy missing — zero XSS protection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 HSTS Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Strict-Transport-Security missing — SSL downgrade possible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Frame-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — clickjacking vulnerability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Content-Type-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — MIME-sniffing attacks possible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Referrer-Policy&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — referrer leakage&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Auth Rate Limiting&lt;/td&gt;
&lt;td&gt;WARN&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;/api/auth/login&lt;/code&gt; detected — no rate limiting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;11 issues found (4 critical, 2 high, 3 medium, 2 low)&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  2. Disko.is — Replit + React
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;SMS loyalty platform with member data. Built by a solo founder in Iceland.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🔴 CRITICAL — Same pattern as NewMom&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Exposed Files&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;.env&lt;/code&gt; and &lt;code&gt;.env.local&lt;/code&gt; publicly accessible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Source Control&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;/.git/&lt;/code&gt; exposed — full repo downloadable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 CSP Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Content-Security-Policy missing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 HSTS Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Strict-Transport-Security missing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Frame-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — clickjackable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Content-Type-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Referrer-Policy&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Auth Rate Limiting&lt;/td&gt;
&lt;td&gt;WARN&lt;/td&gt;
&lt;td&gt;Auth endpoint without protection&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;11 issues found (4 critical, 2 high, 3 medium, 2 low)&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  3. AltCloud.dev — Lovable + Bolt + Supabase
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;Built by an experienced CTO. SaaS platform.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🔴 CRITICAL — Git history and server internals exposed&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 Source Control&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;/.git/&lt;/code&gt; exposed — full repo leaked&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 CSP Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Content-Security-Policy missing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 Server Internals&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;__pycache__/&lt;/code&gt; directory exposed publicly&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Frame-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — clickjackable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Auth Rate Limiting&lt;/td&gt;
&lt;td&gt;WARN&lt;/td&gt;
&lt;td&gt;Auth endpoint without rate limiting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Notable:&lt;/strong&gt; This was the only app that handled environment variables properly in source code — no committed &lt;code&gt;.env&lt;/code&gt; files. But the live site was leaking git history and Python cache directories.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;7 issues found (2 critical, 2 high, 2 medium, 1 low)&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  4. SleepingBaby.info — Cursor + Next.js + MongoDB
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;Parenting app by a solo developer. Entire app built in 450 tokens.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🟠 HIGH RISK — Best of the bunch, but still gaps&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;✅ SSL/TLS&lt;/td&gt;
&lt;td&gt;PASS&lt;/td&gt;
&lt;td&gt;Valid certificate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;✅ .env Files&lt;/td&gt;
&lt;td&gt;PASS&lt;/td&gt;
&lt;td&gt;No exposed environment files&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;✅ .git Directory&lt;/td&gt;
&lt;td&gt;PASS&lt;/td&gt;
&lt;td&gt;Not exposed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟠 CSP Header&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Content-Security-Policy missing — zero XSS protection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Frame-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — clickjackable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 X-Content-Type-Options&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Missing — MIME-sniffing risk&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Auth Rate Limiting&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;/api/auth/signin&lt;/code&gt; — no rate limiting, brute-force possible&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;6 issues found (0 critical, 1 high, 3 medium, 2 low)&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  5. RemedyHunt.com — Bolt + Supabase + Netlify
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;Live product on Netlify. Built by a non-technical founder.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;🔴 CRITICAL — SSL certificate invalid, browser blocks the site&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴 SSL/TLS&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Certificate is INVALID — certificate verify failed. Browsers show a security warning&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡 Accessibility&lt;/td&gt;
&lt;td&gt;FAIL&lt;/td&gt;
&lt;td&gt;Could not check headers — no valid HTTPS connection&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;2 issues found (1 critical, 0 high, 1 medium)&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  The Common Thread
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Issue&lt;/th&gt;
&lt;th&gt;Apps Affected&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;❌ No Content Security Policy (XSS protection)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;5/5 — 100%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ No X-Frame-Options (clickjacking)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;5/5 — 100%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ No X-Content-Type-Options (MIME sniffing)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;4/5 — 80%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ No Referrer-Policy (referrer leakage)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;4/5 — 80%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ Auth endpoint without rate limiting&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;4/5 — 80%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ No or weak HSTS (SSL downgrade)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;3/5 — 60%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ &lt;code&gt;.env&lt;/code&gt; or &lt;code&gt;.git/&lt;/code&gt; exposed publicly&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;3/5 — 60%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;❌ No valid SSL certificate&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;1/5 — 20%&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  The Good News
&lt;/h2&gt;

&lt;p&gt;Not all vibe-coded apps are insecure. The source code scan found some bright spots:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Project&lt;/th&gt;
&lt;th&gt;Stack&lt;/th&gt;
&lt;th&gt;Issues&lt;/th&gt;
&lt;th&gt;Notes&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Obertura&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Vite + TypeScript (chess app)&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;0&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;✅ Clean scan. Earned the trust badge&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Autobot&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Node.js CLI + Playwright&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;0&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;✅ Clean scan&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Interior Planner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Next.js + Drizzle + Vercel Blob&lt;/td&gt;
&lt;td&gt;10&lt;/td&gt;
&lt;td&gt;Had proper auth system, env vars, &lt;code&gt;.env.example&lt;/code&gt;. Issues were missing route auth — fixable in an afternoon&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Some builders do think about security. But the majority ship fast and find out later.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Fix
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Problem&lt;/th&gt;
&lt;th&gt;Fix&lt;/th&gt;
&lt;th&gt;Time&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;No CSP&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Content-Security-Policy: default-src 'self'&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;1 minute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;No X-Frame-Options&lt;/td&gt;
&lt;td&gt;&lt;code&gt;X-Frame-Options: DENY&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;1 minute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;No HSTS&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Strict-Transport-Security: max-age=31536000&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;1 minute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Exposed .env&lt;/td&gt;
&lt;td&gt;Add &lt;code&gt;.env&lt;/code&gt; to &lt;code&gt;.gitignore&lt;/code&gt;, block at host level&lt;/td&gt;
&lt;td&gt;1 minute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Exposed .git&lt;/td&gt;
&lt;td&gt;Block &lt;code&gt;/.git/&lt;/code&gt; in hosting config&lt;/td&gt;
&lt;td&gt;1 minute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;No rate limiting&lt;/td&gt;
&lt;td&gt;Add middleware (express-rate-limit, @upstash/ratelimit)&lt;/td&gt;
&lt;td&gt;10 minutes&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;That's &lt;strong&gt;15 minutes of work&lt;/strong&gt; to fix 90% of what we found.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why This Matters
&lt;/h2&gt;

&lt;p&gt;These aren't weekend experiments. They're live products with real users:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A maternal health platform with actual mothers depending on it&lt;/li&gt;
&lt;li&gt;An SMS loyalty club with member data&lt;/li&gt;
&lt;li&gt;A parenting app with user accounts&lt;/li&gt;
&lt;li&gt;A SaaS platform&lt;/li&gt;
&lt;li&gt;A production app on Netlify&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;They're all clickjackable. All have zero XSS protection. Three are &lt;strong&gt;leaking credentials to the public internet right now.&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Scanned with &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;VibeSafe&lt;/a&gt; v1.0. 16 checks: SSL/TLS, security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy), exposed files (.env, .git), CORS, JS bundle secrets, rate limiting. Source code: Trufflehog secrets, Semgrep static analysis, Supabase RLS, Firebase rules, hardcoded credentials, missing auth, Stripe webhook verification, SQL injection.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>vibecoding</category>
      <category>security</category>
      <category>webdev</category>
      <category>startup</category>
    </item>
    <item>
      <title>The Security Checklist Every Vibe Coder Needs Before Launch</title>
      <dc:creator>kg8888</dc:creator>
      <pubDate>Sun, 21 Jun 2026 15:44:41 +0000</pubDate>
      <link>https://dev.to/amrakg93/the-security-checklist-every-vibe-coder-needs-before-launch-2ea8</link>
      <guid>https://dev.to/amrakg93/the-security-checklist-every-vibe-coder-needs-before-launch-2ea8</guid>
      <description>&lt;p&gt;You shipped something. It works. Users are signing up.&lt;/p&gt;

&lt;p&gt;And somewhere in your codebase, there's a Firebase rule that reads &lt;code&gt;allow read, write: if true&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;This is not a hypothetical. In March 2026, a quit-porn app called Quittr - 600,000 users, $1.1M in total revenue - was found to have every user record publicly readable. Ages. Emotional triggers. Personal confessions. The fix would have taken five minutes. The founders didn't know it was needed.&lt;/p&gt;

&lt;p&gt;If you built your app with Lovable, Bolt, Cursor, v0, Replit, or any AI coding tool, this post is for you.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why vibe-coded apps are uniquely vulnerable
&lt;/h2&gt;

&lt;p&gt;AI coding tools optimize for "it works." They generate functional code fast, and that's genuinely useful. But security is almost never functional - a broken auth check doesn't throw an error, it just quietly lets the wrong person in.&lt;/p&gt;

&lt;p&gt;The result is a specific, predictable set of mistakes. Not random vulnerabilities - the same four or five patterns, repeated across tools, stacks, and founders. A 2026 OX Security study found 62% of AI-generated code ships with vulnerabilities. CVE-2025-48757 (February 2026) affected 170+ Lovable apps by exploiting the same RLS misconfiguration pattern the tool had generated thousands of times.&lt;/p&gt;

&lt;p&gt;These are factory-produced vulnerabilities. Which means they're findable and fixable before you ship.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 8 most common vulnerabilities we see
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Exposed API keys and secrets
&lt;/h3&gt;

&lt;p&gt;AI assistants embed API keys directly in frontend code because it's the path of least resistance. The result: your OpenAI key, Stripe live key, or Supabase service-role key is readable by anyone who opens DevTools ? Sources on your deployed site.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Build your app locally and search the output:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;ash&lt;br&gt;
grep -r "sk_live&amp;amp;#124;service_role&amp;amp;#124;OPENAI_API" ./dist&lt;br&gt;
&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;If anything shows up, it's exposed in production too.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Supabase Row Level Security disabled
&lt;/h3&gt;

&lt;p&gt;RLS is what prevents one user from reading another user's data - or an unauthenticated request from reading &lt;em&gt;all&lt;/em&gt; users' data. When AI-generated Supabase code throws a permission error, the model's fix is to disable RLS on the table. Error goes away. Vulnerability ships.&lt;/p&gt;

&lt;p&gt;CVE-2025-48757 exploited this exact pattern: the public &lt;code&gt;anon&lt;/code&gt; key (which is embedded in your client by design) was enough to dump entire tables because RLS wasn't there to stop it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Open your Supabase dashboard ? Table Editor ? each table should show RLS as enabled with at least one policy defined.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Firebase insecure rules
&lt;/h3&gt;

&lt;p&gt;Firebase ships new projects in "test mode" with rules that allow anyone to read and write everything: &lt;code&gt;allow read, write: if true&lt;/code&gt;. These rules are meant to be temporary. AI tools generate Firebase code that assumes they've been updated. They often haven't.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Firebase Console ? your database ? Rules tab. If you see &lt;code&gt;if true&lt;/code&gt; anywhere, change it now.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Unprotected API routes
&lt;/h3&gt;

&lt;p&gt;AI tools generate API endpoints. They don't always generate the middleware that checks whether the caller is authenticated. The result: a &lt;code&gt;/api/users&lt;/code&gt; endpoint that returns your full user list to any unauthenticated GET request.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Test your API routes with no auth header or cookie using &lt;code&gt;curl&lt;/code&gt; or a tool like Insomnia. If you get data back, the route is open.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Stripe webhook bypass
&lt;/h3&gt;

&lt;p&gt;Stripe sends webhooks to your server when payments happen. If you don't verify the webhook signature, anyone can POST to your endpoint and fake a successful payment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Your webhook handler should call &lt;code&gt;stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET)&lt;/code&gt;. If it doesn't, it's unprotected.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. SQL injection
&lt;/h3&gt;

&lt;p&gt;AI-generated database queries sometimes concatenate user input directly into query strings. This is the oldest vulnerability in web development and it's still showing up in vibe-coded apps.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Search your codebase for string concatenation in database queries: anything like &lt;code&gt;SELECT * FROM users WHERE id =&lt;/code&gt; is a red flag. Use parameterized queries or an ORM.&lt;/p&gt;

&lt;h3&gt;
  
  
  7. CORS wildcard
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Access-Control-Allow-Origin: *&lt;/code&gt; means any website can make requests to your API. Combined with missing auth checks, this can expose data to any domain that wants it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; In your browser's DevTools ? Network, look at the response headers for your API calls. If you see &lt;code&gt;access-control-allow-origin: *&lt;/code&gt; on authenticated endpoints, investigate.&lt;/p&gt;

&lt;h3&gt;
  
  
  8. Missing security headers
&lt;/h3&gt;

&lt;p&gt;Security headers protect your users from browser-level attacks: clickjacking (X-Frame-Options), cross-site scripting (Content-Security-Policy), and insecure connections (HSTS). Most vibe-coded apps ship without any of them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Check:&lt;/strong&gt; Go to &lt;a href="https://securityheaders.com" rel="noopener noreferrer"&gt;securityheaders.com&lt;/a&gt; and enter your URL. A grade below B means you're missing important ones.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually happens when these go unfixed
&lt;/h2&gt;

&lt;p&gt;The Quittr story is the clearest example: 600,000 users had their most personal data exposed - confessions, ages, emotional triggers - for the entire lifetime of the app. The founders found out from a journalist, not from a monitoring alert. The app had generated over a million dollars in revenue. The fix was changing five lines of Firebase rules.&lt;/p&gt;

&lt;p&gt;The Moltbook breach (January 2026) moved faster: 1.5 million API authentication tokens and 35,000 email addresses exposed within 72 hours of launch. The vector was a Supabase database with no row-level security - the same pattern as CVE-2025-48757.&lt;/p&gt;

&lt;p&gt;A Lovable-featured EdTech app (showcased on Lovable's own homepage) was found to have 16 security vulnerabilities, 6 of them critical.&lt;/p&gt;

&lt;p&gt;These aren't enterprise targets. They're solo founders and small teams who shipped something that worked and didn't know what they didn't know about security.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to check your app today
&lt;/h2&gt;

&lt;p&gt;The manual checks above will catch the obvious issues. But some vulnerabilities only show up at the intersection of source code and live site behavior - a secret that's in the code but only exposed after build, or an RLS configuration that looks correct but has a gap in one policy.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;VibeSafe&lt;/a&gt; runs 16 checks across both layers - source code and live site - using static analysis, secret scanning, live header inspection, and behavior probing. You get a report with plain-English descriptions of each finding and exact steps to fix them.&lt;/p&gt;

&lt;p&gt;Pricing is $19-$49 one-time. No subscription.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Shield: preventing this on your next project
&lt;/h2&gt;

&lt;p&gt;Even if you fix everything today, the next app you build with AI tools will generate the same patterns again - because the models haven't changed.&lt;/p&gt;

&lt;p&gt;VibeSafe includes something called The Shield: an AI context file (CLAUDE.md, .cursorrules, or .windsurfrules depending on your tool) that you drop into your project at the start. It instructs your AI assistant to follow secure defaults: no hardcoded secrets, RLS enabled on every table, webhook signature verification, parameterized queries. The model follows the constraint file, so the vulnerable patterns don't get generated in the first place.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion: scan before you ship
&lt;/h2&gt;

&lt;p&gt;The vulnerabilities in this list aren't hard to introduce - AI tools introduce them by default. And they're not hard to find, once you know what to look for.&lt;/p&gt;

&lt;p&gt;The founders who built Quittr weren't careless. They shipped in 10 days using tools that made it easy, and no one told them what the defaults were leaving open. This checklist exists so you don't find out the same way they did.&lt;/p&gt;

&lt;p&gt;Scan your app. Fix what you find. Ship with confidence.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;VibeSafe runs 16 security checks on vibe-coded apps - source code and live site. Plain-English report, exact fixes, trust badge. One-time pricing from $19. ? &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;vibesafe.store&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>security</category>
      <category>javascript</category>
      <category>beginners</category>
    </item>
    <item>
      <title>I Audited 5 AI-Built Apps for Security. All 5 Had Critical Vulnerabilities. Tags: #security #ai #webdev #programming #cybersecurity</title>
      <dc:creator>kg8888</dc:creator>
      <pubDate>Thu, 18 Jun 2026 05:06:49 +0000</pubDate>
      <link>https://dev.to/amrakg93/i-audited-5-ai-built-apps-for-security-all-5-had-critical-vulnerabilities-tags-security-ai-2ogd</link>
      <guid>https://dev.to/amrakg93/i-audited-5-ai-built-apps-for-security-all-5-had-critical-vulnerabilities-tags-security-ai-2ogd</guid>
      <description>&lt;p&gt;AI coding tools are incredible. Cursor, Lovable, Bolt, Replit, v0 — they've made shipping software faster than ever. Non-technical founders can now build full apps in a weekend.&lt;/p&gt;

&lt;p&gt;But there's a catch nobody talks about enough:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AI optimizes for code that works, not code that's secure.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When your AI assistant suggests making your storage bucket public, or disabling Row Level Security on your database, or hardcoding an API key — it's not being malicious. It's taking the path of least resistance. And that path leads straight to a breach.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Numbers Are Scary
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Wiz scanned 5,600 AI-built apps: &lt;strong&gt;400 had exposed secrets&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;GuardMint audited 200+: &lt;strong&gt;91.5% had vulnerabilities directly from AI hallucination&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Lovable ships &lt;strong&gt;70% of apps with Row Level Security disabled&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Bolt turns RLS &lt;strong&gt;off by default&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Martin Fowler's team at Thoughtworks put it perfectly:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Telling an AI agent to be safe is not the same as enforcing that it is safe. Prompts can be overridden, misunderstood, or ignored."&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What I Found in 5 Manual Audits
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;#&lt;/th&gt;
&lt;th&gt;Issue&lt;/th&gt;
&lt;th&gt;Apps Affected&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔴&lt;/td&gt;
&lt;td&gt;Exposed API key or DB password in frontend JS&lt;/td&gt;
&lt;td&gt;3/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔴&lt;/td&gt;
&lt;td&gt;Row Level Security completely disabled&lt;/td&gt;
&lt;td&gt;4/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔴&lt;/td&gt;
&lt;td&gt;Publicly readable database (entire DB)&lt;/td&gt;
&lt;td&gt;1/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡&lt;/td&gt;
&lt;td&gt;Routes missing auth checks&lt;/td&gt;
&lt;td&gt;3/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡&lt;/td&gt;
&lt;td&gt;Storage buckets set to public&lt;/td&gt;
&lt;td&gt;2/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🟡&lt;/td&gt;
&lt;td&gt;Missing rate limiting on auth endpoints&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Every single founder was shocked. They had no idea any of this was happening.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 5 Things AI Coding Tools Consistently Get Wrong
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Hardcoding Secrets
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;supabase&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;createClient&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;https://abc123.supabase.co&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;eyJhbGciOi...full-anon-key...&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;  &lt;span class="c1"&gt;// 🔴 IN FRONTEND JS!&lt;/span&gt;
&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  2. Disabling Row Level Security
&lt;/h3&gt;

&lt;p&gt;Supabase's RLS is opt-in. AI tools don't enable it unless you explicitly ask. Result: anyone with your anon key can read every row in every table.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Public Storage Buckets
&lt;/h3&gt;

&lt;p&gt;AI: "Let's make this bucket public so images load faster."&lt;br&gt;
Reality: every file in that bucket is now accessible to anyone with a URL.&lt;/p&gt;
&lt;h3&gt;
  
  
  4. Over-Permissioned Service Accounts
&lt;/h3&gt;

&lt;p&gt;AI tools often create service accounts with &lt;code&gt;admin&lt;/code&gt; or &lt;code&gt;owner&lt;/code&gt; roles because it's the simplest way to make things work.&lt;/p&gt;
&lt;h3&gt;
  
  
  5. Missing Auth Guards
&lt;/h3&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="nx"&gt;app&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;/api/user-data&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;req&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;res&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="c1"&gt;// No auth check! Anyone can hit this.&lt;/span&gt;
  &lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;data&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;db&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;query&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;SELECT * FROM users&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
  &lt;span class="nx"&gt;res&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;json&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h2&gt;
  
  
  The Fix: Two Things Every Vibe Coder Needs
&lt;/h2&gt;
&lt;h3&gt;
  
  
  1. An Audit (Check What's Broken)
&lt;/h3&gt;

&lt;p&gt;Run a security scan on your codebase. Look for exposed secrets, database permissions, auth gaps, dependency vulns, security headers.&lt;/p&gt;
&lt;h3&gt;
  
  
  2. A Shield (Prevent Future Mistakes)
&lt;/h3&gt;

&lt;p&gt;Add a &lt;code&gt;.cursorrules&lt;/code&gt; or &lt;code&gt;CLAUDE.md&lt;/code&gt; that tells your AI:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Never hardcode secrets&lt;/li&gt;
&lt;li&gt;Always enable RLS&lt;/li&gt;
&lt;li&gt;Never make storage buckets public&lt;/li&gt;
&lt;li&gt;Always use least-privilege service accounts&lt;/li&gt;
&lt;li&gt;Always add auth checks to protected routes&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;
  
  
  I Built This
&lt;/h2&gt;

&lt;p&gt;I built &lt;a href="https://vibesafe.store" rel="noopener noreferrer"&gt;VibeSafe&lt;/a&gt; to automate both:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Pre-Launch Audit ($39)&lt;/strong&gt; — Scan your GitHub repo. Plain-English report in 24 hours.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Post-Launch Scan ($19)&lt;/strong&gt; — Scan your live URL. SSL, headers, exposed files. Trust badge included.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Shield ($29)&lt;/strong&gt; — Auto-generated security context file for your exact stack.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Full Bundle ($49)&lt;/strong&gt; — All three.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Continuous ($39/mo)&lt;/strong&gt; — Weekly rescans + breach monitoring.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Built for founders, not security engineers. If you can ship an app with AI, you can use this.&lt;/p&gt;



&lt;p&gt;&lt;strong&gt;Quick check for your own codebase:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s2"&gt;"eyJ"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.js"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.ts"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.tsx"&lt;/span&gt; &lt;span class="nb"&gt;.&lt;/span&gt;
&lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s2"&gt;"api_key&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;apikey&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;secret&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;password&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;token"&lt;/span&gt; &lt;span class="nt"&gt;--include&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"*.js"&lt;/span&gt; &lt;span class="nb"&gt;.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You might be surprised what you find.&lt;/p&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>programming</category>
      <category>security</category>
    </item>
  </channel>
</rss>
