SECURITY GUIDE - MARCH 2026
How to Secure Your Vibe-Coded App
AI tools like Cursor, Lovable, Bolt, and v0 let you ship apps in hours. But speed creates blind spots. This guide covers the five most common security vulnerabilities in AI-generated code and exactly how to fix them.
Sources: GitGuardian 2024 Report, Stanford AI Code Security Study 2023, Scott Helme Security Headers Report 2024
WHAT IS VIBE CODING AND WHY SECURITY MATTERS
Vibe coding is the practice of building software by describing what you want in natural language and letting an AI assistant generate the code. Tools like Cursor, Lovable, Bolt, Replit Agent, and v0 have made it possible for anyone - from experienced developers to first-time builders - to ship production web apps in a single afternoon.
The problem is that AI models optimize for functionality, not security. They generate code that works, but they rarely consider authentication edge cases, input validation, authorization logic, or infrastructure hardening. A 2023 Stanford University study found that participants using AI coding assistants produced significantly less secure code compared to a control group, and were more likely to believe their code was secure when it was not.
This does not mean you should stop using AI tools. It means you need a security step in your workflow. The same way you would not ship a car without brakes, you should not ship an app without checking for the vulnerabilities that AI routinely introduces.
TOP 5 SECURITY RISKS IN AI-GENERATED CODE
Hardcoded API Keys and Secrets
AI coding assistants frequently embed API keys, database credentials, and third-party tokens directly in source code. A 2024 GitGuardian report found that 12.8 million new secrets were exposed in public GitHub repositories in a single year - a 28% increase over the previous year. AI-generated code accelerates this problem because LLMs treat secrets as just another string to complete.
REAL-WORLD EXAMPLE
An AI assistant generates a Supabase client with the service_role key inline instead of referencing process.env.SUPABASE_SERVICE_ROLE_KEY. That key, once pushed to a public repo, gives anyone full admin access to your database.
HOW TO FIX IT
Store all secrets in environment variables. Use .env.local for development and your hosting platform's secrets manager for production. Add .env* to your .gitignore before the first commit. Run a secrets scanner like GitGuardian or TruffleHog on every push.
Missing Authentication and Authorization
AI tools often generate API routes and server actions without any authentication checks. They create endpoints that accept requests from anyone, including unauthenticated users. CVE-2025-48757 demonstrated this at scale when 170+ Lovable-built apps were found to have unauthenticated data access because the AI never added access control to generated API routes.
REAL-WORLD EXAMPLE
A Cursor-generated API route at /api/users returns all user records without verifying that the caller is an authenticated admin. Any visitor can hit the endpoint and dump your user table.
HOW TO FIX IT
Verify authentication on every API route and server action. Use middleware to protect route groups. Implement Row Level Security (RLS) on your database so that even if an API route is exposed, the database enforces access control. Never trust client-side auth alone.
SQL Injection and Input Validation Gaps
LLMs sometimes generate raw SQL queries with string concatenation instead of parameterized queries. A 2023 Stanford study found that developers using AI assistants wrote significantly less secure code than those coding manually, with SQL injection being one of the most common vulnerability classes. Even when using ORMs, AI-generated code may bypass the ORM's protections by using raw query methods.
REAL-WORLD EXAMPLE
The AI generates: SELECT * FROM orders WHERE user_id = '${userId}' instead of using a parameterized query. An attacker sends userId = "' OR '1'='1" and dumps the entire orders table.
HOW TO FIX IT
Always use parameterized queries or a trusted ORM like Prisma. Validate and sanitize all user input at the boundary - request body, query parameters, headers. Use Zod or a similar schema validation library to enforce types and constraints before data reaches your database.
Exposed Environment Variables and Config
AI-generated frontend code sometimes references server-side environment variables without the NEXT_PUBLIC_ prefix convention, or worse, bundles sensitive config into client-side JavaScript. Source maps left enabled in production can expose your entire codebase. A 2024 analysis by Truffle Security found that 4.5% of scanned websites had exposed source maps leaking internal code, API endpoints, and sometimes credentials.
REAL-WORLD EXAMPLE
An AI builds a payment form that imports the Stripe secret key instead of the publishable key. The secret key ends up in the browser bundle where anyone can extract it from DevTools.
HOW TO FIX IT
Audit every environment variable reference in client-side code. In Next.js, only variables prefixed with NEXT_PUBLIC_ are safe for the browser. Disable source maps in production (productionBrowserSourceMaps: false in next.config.js). Never log sensitive config in client-side error handlers.
Missing Security Headers
AI coding tools almost never configure HTTP security headers. Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and other headers are critical defenses against XSS, clickjacking, and downgrade attacks. According to the 2024 Scott Helme security headers report, only 12.4% of the top 1 million sites implement a Content-Security-Policy header. AI-generated apps almost universally skip these protections.
REAL-WORLD EXAMPLE
A Bolt-generated Next.js app ships with zero security headers. An attacker embeds it in an iframe on a phishing site (clickjacking) or injects a script tag via a user input field that CSP would have blocked.
HOW TO FIX IT
Add a security headers configuration to your next.config.js or middleware. Set Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security with a long max-age, and Referrer-Policy: strict-origin-when-cross-origin. Test with securityheaders.com.
HOW TO SCAN YOUR VIBE-CODED APP
Code review catches some issues, but deployed apps have a different attack surface. Security headers, SSL configuration, exposed files, open ports, and DNS misconfigurations are only visible when you scan the live domain. UNPWNED runs 700+ automated checks against your deployed app and translates every finding into plain-English fix instructions.
Enter your domain
Go to the scan page and enter the domain of your deployed vibe-coded app.
Run the scan
UNPWNED runs 700+ security checks in parallel: SSL/TLS, security headers, DNS, open ports, sensitive files, API exposure, and more.
Review your report
Get a plain-English report with severity ratings. Pro reports include step-by-step fix guidance for detected findings.
Fix and rescan
Apply the recommended fixes and run another scan to verify. Repeat until your security score improves.
SECURITY CHECKLIST FOR VIBE CODERS
Run through this checklist before every deploy. Each item addresses a specific vulnerability class that AI coding tools commonly introduce.
Run a secrets scanner (GitGuardian, TruffleHog) on your repo before every deploy
Verify authentication on every API route, server action, and webhook handler
Enforce authorization with Row Level Security (RLS) on every database table
Use parameterized queries or an ORM - never concatenate user input into SQL
Validate all input with a schema library like Zod at the API boundary
Store secrets in environment variables, never in source code
Prefix only public-safe variables with NEXT_PUBLIC_ in Next.js
Disable source maps in production builds
Configure security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
Enable HTTPS everywhere and set Strict-Transport-Security
Review all dependencies for known CVEs with npm audit or Snyk
Scan your deployed domain with an external scanner to catch what code review misses
Set up rate limiting on authentication endpoints and public APIs
Add CSRF protection to all state-changing operations
Review AI-generated code line by line before committing - treat it like code from an untrusted contributor
THE BIGGER PICTURE
Vibe coding is not going away. GitHub reported that over 92% of developers in the US use AI coding tools as of 2024, and the number continues to climb. The volume of AI-generated code shipping to production is growing faster than the security tooling designed to audit it.
The risk compounds because many vibe coders are building for the first time. They may not know what SQL injection is, let alone how to prevent it. AI tools do not teach security concepts - they generate code that appears to work, and the developer trusts it because the app loads without errors.
The solution is not to stop using AI. The solution is to add a security verification step: review the generated code for the five risk categories above, run a scan against your deployed domain, and fix what comes back. This takes less time than debugging a data breach.
Scan Your Vibe-Coded App Now
700+ security checks in under 2 minutes. Pro reports include plain-English fix guidance for detected findings. Free tier available - no credit card required.
Start Free Scan