AI code generators ship features fast. They also skip security steps that no production app should go without. At Inithouse, a studio shipping a growing portfolio of products in parallel, we build everything with Lovable and run security audits on every project before launch. After auditing dozens of our own apps, we compiled this 12-point checklist covering the gaps AI tools leave behind most often.
This is not theoretical. Every item on this list comes from a real issue we found in our own shipped products using Audit Vibe Coding, an automated audit tool we built specifically for AI-generated codebases.
1. Authentication Flow
What to check: Are login/signup routes protected against brute force? Does the session expire? Are password reset tokens single-use and time-limited?
What AI skips: Lovable and Bolt typically generate working auth flows but skip rate limiting on login attempts and often leave session tokens with no expiration. We found one of our apps allowing unlimited login attempts with no cooldown.
Fix: Add rate limiting middleware to auth endpoints (e.g., 5 attempts per minute per IP). Set session expiry to 24 hours max. Ensure password reset tokens expire after 15 minutes.
2. Row Level Security (RLS)
What to check: If you use Supabase, are RLS policies enabled on every table? Can a logged-in user read or modify another user's data?
What AI skips: This is the single most common vulnerability we find. AI tools create tables and forget to enable RLS, or they enable it but write policies that are too permissive. In one of our projects (Be Recommended, an AI visibility monitoring tool), we caught a policy that let any authenticated user read all audit results, not just their own.
Fix: Enable RLS on every table. Write policies that filter by auth.uid(). Test by logging in as User A and attempting to fetch User B's data directly via the Supabase client.
3. Environment Variables and Secrets
What to check: Are API keys, database URLs, and third-party tokens stored in environment variables? Are any secrets hardcoded in client-side code?
What AI skips: AI generators sometimes inline API keys directly in fetch calls or store them in config files that get bundled into the client build. We found Stripe keys exposed in a component file that shipped to production.
Fix: Move all secrets to .env files. Use VITE_ prefix only for values safe to expose client-side. Audit your built output: search dist/ for any string matching known key patterns.
4. CORS Configuration
What to check: Does your API accept requests from any origin (*)? Are credentials allowed with a wildcard origin?
What AI skips: Default CORS configurations in AI-generated backends often use Access-Control-Allow-Origin: * because it eliminates errors during development. This stays in production.
Fix: Restrict allowed origins to your production domain(s). If you use Supabase Edge Functions, configure the cors.ts helper with explicit origins.
5. Rate Limiting on API Endpoints
What to check: Can a single user or IP hammer your endpoints without throttling?
What AI skips: Almost always absent. AI tools focus on making the feature work, not on protecting it from abuse. We measured one of our apps accepting 400+ requests per second from a single IP with no degradation or blocking.
Fix: Add rate limiting at the API gateway or middleware level. A reasonable starting point: 60 requests per minute per IP for standard endpoints, 10 per minute for auth-related ones.
6. Input Validation and Sanitization
What to check: Are user inputs validated on the server side (not just client)? Are SQL injection and XSS vectors handled?
What AI skips: Client-side validation gets generated reliably. Server-side validation is often missing entirely. AI tools trust that the frontend will always send clean data.
Fix: Validate and sanitize all inputs on the server. Use parameterized queries (Supabase does this by default). Escape HTML output. Never build SQL strings from user input.
7. Error Handling and Information Leakage
What to check: Do error responses expose stack traces, database schemas, or internal paths?
What AI skips: Development-mode error handling routinely ships to production. We found one app returning full Postgres error messages including table names and column types to the client.
Fix: Use generic error messages in production ("Something went wrong"). Log detailed errors server-side only. Set NODE_ENV=production and ensure your framework respects it.
8. File Upload Security
What to check: If users can upload files, are file types validated? Are uploads scanned? Is there a size limit?
What AI skips: Upload forms get generated with minimal restrictions. File type validation, if present, is client-side only (trivially bypassed). Size limits are often missing.
Fix: Validate file type and size on the server. Restrict to expected MIME types. Store uploads in a dedicated bucket with no execute permissions. Set a reasonable size cap (e.g., 5 MB).
9. Security Headers
What to check: Does your app set Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security?
What AI skips: Security headers are never generated by AI tools. The app works fine without them, so they never come up in the build process.
Fix: Add headers via your hosting platform's configuration (Vercel vercel.json, Netlify _headers, or middleware). Start with: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security: max-age=31536000.
10. Logging and Monitoring
What to check: Are auth events, failed requests, and data access patterns logged? Can you detect unusual activity?
What AI skips: Logging is almost never included in AI-generated code. When something goes wrong in production, there is no trail to follow.
Fix: Log authentication events (login, logout, failed attempts, password resets). Log data access patterns for sensitive endpoints. Use a structured logging service (even basic console logging with timestamps and user IDs is better than nothing).
11. Sitemap and Robots.txt Exposure
What to check: Does your sitemap expose admin routes or internal pages? Does robots.txt inadvertently reveal hidden paths?
What AI skips: Auto-generated sitemaps sometimes include routes that should not be publicly discoverable (admin panels, internal dashboards, staging pages).
Fix: Review your sitemap and robots.txt manually. Exclude admin and internal routes. If you have an admin panel, ensure it requires authentication before rendering anything.
12. Dependency Vulnerabilities
What to check: Are your npm packages up to date? Are there known CVEs in your dependency tree?
What AI skips: AI tools install packages at whatever version was in their training data. They do not run npm audit or check for known vulnerabilities.
Fix: Run npm audit before every deploy. Address critical and high-severity findings. Set up automated dependency updates (Dependabot, Renovate, or similar).
The Pattern
The common thread across all 12 items: AI code generators optimize for "it works." Security is not a feature that breaks visibly when missing. Your app will run fine with open CORS, no rate limiting, and exposed error messages. The problems surface later, usually when someone starts probing.
At Inithouse, we built Audit Vibe Coding because we needed to run these checks on our own portfolio systematically. It runs 47 automated checks across security, SEO, performance, accessibility, and code quality, and delivers a report within 24 hours. The security checks on this list are a subset of what the full audit covers.
If you are shipping an app built with Lovable, Bolt, v0, or any AI code generator, run through this checklist before your users do. Or let the automated audit catch what you miss at auditvibecoding.com.
Top comments (0)