<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: necati</title>
    <description>The latest articles on DEV Community by necati (@necati78).</description>
    <link>https://dev.to/necati78</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4001217%2F23e17b8c-ee5c-45c5-a707-7e867032d315.png</url>
      <title>DEV Community: necati</title>
      <link>https://dev.to/necati78</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/necati78"/>
    <language>en</language>
    <item>
      <title>I scanned 100 sites built with Lovable, Cursor and Bolt. Here's what I found.</title>
      <dc:creator>necati</dc:creator>
      <pubDate>Wed, 24 Jun 2026 20:40:06 +0000</pubDate>
      <link>https://dev.to/necati78/i-scanned-100-sites-built-with-lovable-cursor-and-bolt-heres-what-i-found-g5d</link>
      <guid>https://dev.to/necati78/i-scanned-100-sites-built-with-lovable-cursor-and-bolt-heres-what-i-found-g5d</guid>
      <description>&lt;p&gt;I started noticing the same security mistakes on every vibe-coded app I looked at. So I scanned 100 of them. Here's what came up.&lt;br&gt;
94 out of 100 had at least one critical issue.&lt;br&gt;
The most common findings:&lt;/p&gt;

&lt;p&gt;78 sites — Supabase RLS disabled. Any user can query your entire database directly. Customer emails, orders, everything. The fix takes 2 minutes but nobody told them it was off.&lt;/p&gt;

&lt;p&gt;61 sites — API keys in the JS bundle. If you prefix a variable with VITE_, it ends up in your compiled JavaScript. Completely public. This is how people wake up to a $3,000 OpenAI bill.&lt;/p&gt;

&lt;p&gt;89 sites — no privacy policy. GDPR fines start at €10,000. Doesn't matter how small your startup is.&lt;/p&gt;

&lt;p&gt;73 sites — no rate limiting on auth endpoints. Open to brute force.&lt;br&gt;
The common thread: none of these founders knew. The AI tools just ship and move on.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;I built vibelegit.io to catch this automatically — real HTTP requests to your live site, not just a code read. Every finding comes with an AI fix prompt you can paste into Cursor or Lovable.&lt;br&gt;
If you've shipped something with an AI coding tool, worth running a scan before someone else does&lt;/strong&gt;.&lt;/p&gt;


&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
      &lt;div class="c-embed__body flex items-center justify-between"&gt;
        &lt;a href="https://vibelegit.io" rel="noopener noreferrer" class="c-link fw-bold flex items-center"&gt;
          &lt;span class="mr-2"&gt;vibelegit.io&lt;/span&gt;
          

        &lt;/a&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;


&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw1li2byecdlv6eg58dy2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw1li2byecdlv6eg58dy2.png" alt=" " width="800" height="535"&gt;&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>webdev</category>
      <category>security</category>
      <category>vibecoding</category>
    </item>
  </channel>
</rss>
