5 Security Risks Every Vibe-Coded App Has (And How to Fix Them)
AI coding tools like Cursor, Lovable, Bolt, and Replit make it insanely fast to ship. They also make it insanely easy to ship your Stripe secret key, Supabase service role key, and OpenAI token in your JavaScript bundle. Five issues show up over and over — here's how to find and fix each.
On this page▾
We've scanned thousands of startup websites built with AI coding tools. The same 5 security issues show up over and over. Most founders don't realize they're vulnerable until someone exploits it.
1API Keys in JavaScript Bundles
This is the big one. AI coding tools often put API keys directly in client-side code because you pasted them into the prompt or they were in your .env and the tool didn't know to exclude them. Stripe secret keys, OpenAI API keys, Supabase service role keys, Firebase admin credentials — we find them every day.
How to fix: Move all secret keys to server-side environment variables. In Next.js, only variables prefixed with NEXT_PUBLIC_ should be in client code — and those should only be publishable keys (like Stripe's publishable key), never secret keys.
The data point
In our study of 100 AI-built apps, 34% had at least one exposed API key. Stripe sk_live_ keys appeared in 11 of the 100.
2Exposed .env Files
Some deployment configurations accidentally serve .env files as static assets. Anyone can visit yoursite.com/.env and see your database credentials, API keys, and secrets. This is especially common with static site deployments and misconfigured Vercel / Netlify setups.
How to fix: Add .env to your .gitignore (most frameworks do this by default). Verify by trying to access yoursite.com/.env in a browser — if you see anything other than a 404, you have a problem.
3Missing Security Headers
AI coding tools almost never add security headers. No Content-Security-Policy, no X-Frame-Options, no Strict-Transport-Security. This leaves your app vulnerable to XSS attacks, clickjacking, and MIME sniffing.
How to fix: Add security headers in your next.config.js or vercel.json. At minimum, add Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.
4Source Maps in Production
Source maps expose your entire original source code to anyone who opens browser DevTools. AI coding tools often leave source maps enabled in production builds. This means anyone can read your business logic, find hardcoded secrets you missed, and understand your app's architecture.
How to fix: Set productionBrowserSourceMaps: false in your Next.js config. For other frameworks, check the build configuration for source map settings.
5No Rate Limiting on API Routes
Vibe-coded apps typically have API routes that hit external services (OpenAI, Stripe, databases) with zero rate limiting. An attacker can spam your endpoints, rack up your API bills, or brute-force your authentication. We've seen OpenAI bills hit $500+ overnight from unprotected endpoints.
How to fix: Add rate limiting to every public API route. Use an IP-based rate limiter with reasonable limits (e.g., 10 requests per minute for expensive operations).
6Scan Your App in 30 Seconds
Our free security scanner runs 19 passive checks on any URL — exposed API keys in JS bundles, .env file access, missing headers, source maps, directory listing, and more. It takes 30 seconds, requires no signup, and gives you a security grade (A–F) with specific fix instructions.
Free 30-second security scan
19 passive checks. Find exposed API keys, .env files, missing headers, source maps.
Pre-launch security checklist
The 5-minute audit every indie hacker should run before shipping.
Frequently Asked Questions
What is vibe coding?
Vibe coding is using AI tools (Cursor, Lovable, Bolt, Replit, v0, Claude) to generate entire applications by describing what you want in plain language. It's fast and accessible, but the AI optimizes for 'it works' over 'it's secure' — leaving most vibe-coded apps with the same five security gaps.
Are vibe-coded apps less secure than hand-written ones?
On average, yes — though the issues are fixable. AI tools tend to put secret keys in client components, skip security headers, leave source maps enabled, and ship without rate limiting. Each issue is a 5-minute fix, but you have to know to check. Hand-written apps make these mistakes too, just less consistently.
What's the most dangerous vibe-coding security mistake?
API keys in JavaScript bundles. We've found live Stripe sk_live_ keys, OpenAI keys, and Supabase service role keys in compiled bundles where any visitor can extract them via DevTools. A single exposed Stripe secret key can drain your account overnight.
How do I check my vibe-coded app for these issues?
Run the free security scanner at /security. It performs 19 passive checks on any URL — exposed API keys in JS bundles, .env file access, missing security headers, source maps, directory listing, and more. Takes 30 seconds, no signup, gives you a grade with specific fix instructions.
Should I avoid vibe coding because of these risks?
No — just audit before shipping. Vibe coding is a 10x productivity unlock for solo founders and small teams. The security gaps it creates are real but consistent, which means you can catch all five with one scan and fix them in an afternoon. The speed gain is worth the audit step.