Is my vibe-coded app secure?
Probably not — at least not without a deliberate review. Veracode's 2025 research found roughly 45% of AI-generated code samples introduced a known security vulnerability. Vibe-coded apps move fast but skip the security review that would catch exposed credentials, missing auth checks, and open database access before they reach real users.
wenhire is building a directory of AI-native developers — including specialists who audit and harden vibe-coded apps. The first 250 to create a profile when we launch get free access for a year.
join the waitlist — first 250 get a free yearWhy AI-generated code has a specific security problem
AI coding tools are optimised to produce working output, not secure output. When you prompt Cursor, Bolt, or Lovable to scaffold an API route or a database integration, the generated code will function — but it may skip row-level security, omit authentication middleware, or inline credentials that should live in environment variables.
This is not a failure of the tools. It is a mismatch between what the tools optimise for (functional output given the prompt) and what production software requires (a security posture appropriate to the threat model). Most prompts do not mention security, so the model does not surface it.
Veracode's 2025 research, which found roughly 45% of AI-generated code samples introduced a known security vulnerability, reflects this gap at scale. It does not mean every AI-generated function is exploitable — but it does mean the default assumption should be scrutiny, not trust.
Common vulnerabilities in vibe-coded apps
The vulnerability patterns below are specific to the AI-native stack — Supabase, Next.js App Router, Vercel, and builder tools like Bolt and Lovable. They are consistently underweighted because speed-to-launch is the primary driver and security review rarely gets a dedicated slot.
| Vulnerability | How it happens in vibe-coded apps | Severity |
|---|---|---|
| Exposed API keys | AI tools generate .env examples or inline credentials as scaffolding; committed to public repos before review | Critical |
| Missing row-level security (RLS) | Supabase tables created without RLS enabled; any authenticated or even public request can read all rows | Critical |
| Unauthenticated API routes | Next.js API routes or Server Actions generated without auth middleware; endpoints callable without a valid session | Critical |
| SQL injection via raw queries | AI-generated database queries sometimes use string interpolation instead of parameterised statements | High |
| Permissive CORS configuration | Generated API routes often set Access-Control-Allow-Origin: * without considering which origins actually need access | High |
| No input validation | Form handlers and API routes pass user-supplied data directly to the database or downstream services without sanitisation | High |
| Overprivileged service roles | Supabase service role key used client-side or in edge functions where the anon key is sufficient | Medium |
Self-audit checklist: run this before you launch
You do not need a hired specialist to catch the most critical issues. Work through this checklist before your app touches real users or real data. Each item is actionable without deep security expertise.
If you find any of the first three items below — exposed keys, disabled RLS, or open API routes — treat them as incidents, not to-do items. Rotate credentials and fix access controls before doing anything else.
- Search your entire codebase for hardcoded secrets. Run a grep for common patterns:
sk_live,supabase.cowith adjacent key strings,OPENAI_API_KEYassigned inline, Stripe keys, Resend keys, Clerk secrets. Any credentials found should be rotated immediately in the service dashboard and moved to environment variables. - Check every Supabase table for row-level security. In the Supabase dashboard, open the Table Editor and verify RLS is enabled on every table that stores user data. Then review the policies: does each policy actually restrict access to the correct user? A table with RLS enabled but no policies denies all access; a table with a misconfigured policy may still expose all rows.
- Audit every API route and Server Action for auth checks. In Next.js App Router, every
route.tsfile and everyserver actionshould validate session before executing. Check that unauthenticated requests get a 401, not a 200 with an empty payload. - Confirm you are using the anon key, not the service role key, on the client. The Supabase service role key bypasses all RLS. It should only ever appear in server-side code — not in environment variables prefixed with
NEXT_PUBLIC_, and never in any client-side bundle. - Validate all user inputs before they reach the database. Any field a user can write to — forms, URL parameters, query strings — should be validated against a schema (Zod is common in this stack) before being passed to a query or stored.
- Check file upload endpoints for type and size validation. AI-generated file upload handlers often accept any file type and any size. Add an allowlist of MIME types and a maximum file size before your storage bucket becomes an open host.
- Review your CORS and Content-Security-Policy headers. In
next.config, tighten Access-Control-Allow-Origin to specific domains rather than wildcard, and add a minimal CSP that blocks inline scripts you did not explicitly allow.
When to hire a security auditor
The self-audit above addresses the most common and exploitable issues. There are scenarios where bringing in a specialist is the right move, regardless of how thorough your own review was.
Hire an auditor if your app handles payments or financial data, stores health or medical information, holds data on behalf of other businesses (B2B SaaS), or is approaching a funding conversation where a technical due diligence review is likely. These situations create material liability, and a code audit by a qualified specialist is cheaper than an incident.
You should also consider a professional review if your app has grown through multiple AI-assisted iterations without systematic review — common with vibe-coded builds where each session adds features without revisiting the security posture of existing ones. Technical debt compounds; security debt compounds faster.
How to vet a developer for a security audit
Not every developer who can audit code can audit a vibe-coded app effectively. The AI-native stack has patterns — Supabase RLS, Next.js Server Actions, edge functions, builder-tool output — that a traditional appsec engineer may not be familiar with. Vet specifically for this combination.
- Ask for examples of Supabase security work specifically. RLS policy design, service role key handling, and storage bucket permissions are the most common attack surface in this stack. If they cannot speak fluently about RLS policy logic, find someone who can.
- Ask them to describe what they look for in AI-generated code. A developer who understands the specific failure modes of Cursor, Bolt, or Lovable output will find issues faster than one running a generic OWASP checklist.
- Expect a written report, not just a Slack message. A proper audit produces a prioritised list of findings with severity ratings and specific remediation steps. If the developer cannot commit to a written deliverable, that is a signal about the rigour of the work.
- Agree on scope before engagement. Define whether the audit covers static code review only, or also includes dynamic testing (running the app and probing it). Static review is faster and cheaper; dynamic testing catches issues that only appear at runtime. For most early-stage vibe-coded apps, static plus a focused manual test of critical flows is the right scope.
wenhire is building the hiring platform for AI-native developers — including the specialists who audit, fix, and harden vibe-coded apps. Zero commission. The first 250 to create a profile when we launch get free access for a year. No credit card required.
join the waitlist — first 250 get a free yearFrequently asked questions
Are vibe-coded apps less secure than traditionally coded apps?
Not inherently — but the risk profile is different. Veracode's 2025 research found roughly 45% of AI-generated code samples introduced a known security vulnerability. That does not mean every vibe-coded app is compromised, but it does mean security cannot be assumed. The gap is not in the code quality per se; it is in the lack of security review that accompanies most AI-assisted builds.
What is the most common security mistake in vibe-coded apps?
Exposed API keys and service credentials hardcoded into the codebase — often committed to a public GitHub repository. AI tools frequently generate example .env files or inline credentials as placeholders. Builders often ship before they review. This one issue alone can result in billing fraud, data exposure, and complete account takeover of dependent services.
Do I need a full penetration test, or is a code audit enough?
For most early-stage vibe-coded apps, a focused code audit covering auth, RLS, secrets management, and input validation will address the majority of real risk. A full penetration test adds value once the product has paying users and handles sensitive data. Start with an audit; escalate to a pentest when you have meaningful exposure.
How do I find a developer who can audit a vibe-coded app specifically?
You need someone who understands both the AI-native toolchain and security fundamentals. A traditional security engineer unfamiliar with Supabase, Vercel edge functions, or Bolt-generated code may miss patterns specific to these stacks. Look for developers who explicitly list AI-native security experience, not just general appsec.
What should I fix before launching to real users?
In order: (1) rotate and vault all credentials, (2) enable row-level security on every table that holds user data, (3) add authentication checks to every API route, (4) sanitise all user-supplied inputs, (5) set appropriate CORS and CSP headers. These five items eliminate the vast majority of exploitable vulnerabilities in a typical vibe-coded app.
What does wenhire have to do with security?
wenhire is a zero-commission hiring platform and talent directory for AI-native developers — including specialists in AI-stack security, Supabase hardening, and vibe-coded app audits. When we launch, the first 250 to create a profile get free access for a year.