A post on r/vibecoding went viral this week. Someone paid a senior dev $1,000 on Upwork to review their vibe-coded app. The verdict: "good code, just needs a few security concerns addressed."
That's the outcome for almost every vibe-coded app I've looked at. The code works. The UI is fine. The security is broken.
Here's what actually shows up in these reviews.
The Same 5 Issues, Every Time
1. Supabase RLS policies that don't exist or don't work
Lovable sets up Supabase for you. It creates tables, writes queries, handles auth. What it doesn't do reliably is lock down who can read what.
Open your Supabase dashboard right now. Go to Authentication > Policies. If you see tables with no policies, that table is readable by anyone with your Supabase URL and anon key. Both are in your client bundle. Anyone can open devtools and find them.
The fix is row-level security policies on every table. But the AI generates policies that look right and aren't. A common one: a policy that checks auth.uid() = user_id on SELECT but has no policy on UPDATE or DELETE. So users can read only their own data but can modify anyone's.
2. API keys in the client bundle
Open your deployed app. Open devtools. Go to Sources. Search for "sk_" or "key" or "secret" or "Bearer". If you find anything, that key is public.
Vibe coding tools don't always know which API calls should happen server-side. They'll put a Stripe secret key or an OpenAI API key directly in a React component because the code works and the AI optimizes for working code.
One app I reviewed had a Resend API key in the client. Anyone could send emails as that company. Another had an OpenAI key that was burning $40/day from unauthorized usage before the founder noticed.
3. No rate limiting on auth endpoints
Sign up, login, password reset. AI tools generate these flows and they work great. What they don't add is rate limiting.
Someone can hit your login endpoint 10,000 times per second with different passwords. No lockout, no delay, no CAPTCHA. For password reset: an attacker can trigger thousands of reset emails to any address, which gets your email domain blacklisted.
4. Missing input validation on the backend
The AI validates inputs on the frontend. It checks email format, required fields, string length. But if someone bypasses the frontend (which is trivial), the backend accepts anything.
This means SQL injection, XSS stored in your database, and malformed data that breaks your app for other users. Supabase edge functions generated by AI almost never validate input types.
5. Dependencies with known vulnerabilities
Every vibe-coded app I've seen has at least 3 npm packages with known CVEs. The AI picks packages that work, not packages that are maintained. A npm audit will show you, but most vibe coders never run it.
The recent TeamPCP supply chain attack targeted PyPI packages (telnyx, litellm) with malicious versions. If you're using AI to pick your dependencies, you're trusting that the AI knows which version is safe. It doesn't.
Why This Matters Now
When your app has 0 users, none of this matters. But the moment someone enters their email, their payment info, their personal data, you're liable.
GDPR fines start at 10 million euros for data breaches caused by inadequate security. Even in the US, state privacy laws are getting teeth. "I used AI to build it" is not a defense.
170 out of 1,645 Lovable-created apps were found to have data exposure issues earlier this year. That's over 10%.
The Market Gap
Here's the reality of getting a code review as a vibe coder:
- Free: Ask Claude/ChatGPT to review your code. It'll find surface-level issues but miss the architectural ones. It generated the code, so it has the same blind spots.
- $500-$1,000: Hire a senior dev on Upwork. Takes a week. May not specialize in the specific security patterns of AI-generated code.
- $5,000+: Professional penetration test. Enterprise-grade but overkill for a solo founder's MVP.
There's nothing in between for the vibe coder who just wants to know: "Is my app safe to launch?"
That's the gap. A focused security audit that knows exactly where Lovable, Cursor, Bolt, and Claude Code break. Not a general code review. A checklist of the exact vulnerabilities these tools introduce, tested against your specific app, with copy-paste fix prompts you can feed back into the AI.
Check Your App Right Now
Before you ship, run through this yourself:
- Open Supabase > Authentication > Policies. Every table should have RLS enabled with policies for SELECT, INSERT, UPDATE, DELETE.
- Open devtools on your deployed app. Search Sources for API keys (sk_, key_, secret, Bearer).
- Try signing up 10 times in 10 seconds. If it works every time, you have no rate limiting.
- Run
npm auditin your project. Fix anything marked critical or high. - Check your .env file isn't committed to git:
git log --all -- .env
If you want a deeper check, I built a free scanner at notelon.ai/tools/vibecheck that runs automated checks against your repo. For a full manual audit with a PDF report and fix prompts, there's a $99 audit service.
I build security tools for vibe coders at notelon.ai.
Top comments (0)