Security Blog
Guides, stories, and tools to help you build secure apps — even when you're vibe coding.
621 articles across 14 topicsHow a Lovable App Exposed 18,000 Users, Including Students
A Lovable-hosted exam app had 16 vulnerabilities including backwards authentication logic that blocked logged-in users and let anonymous visitors access everything. 18,697 user records leaked, including K-12 students.
Read the full story →Latest Articles
How to Fix v0 API Key Exposure (2026)
v0 API key exposure usually comes from a NEXT_PUBLIC_-prefixed secret baked into your Next.js client bundle, or a key hardcoded in a component that v0 generated. Step-by-step fix: find, rotate, and move secrets to Vercel server-side.
How-To GuidesHow to Fix Replit API Key Exposure (2026)
Replit API key exposure usually means Replit Agent hardcoded the secret directly in source code instead of the Secrets tab, or your Repl is public and the code is visible. Step-by-step fix: find, rotate, and move to Replit Secrets.
How-To GuidesHow to Fix Lovable API Key Exposure (2026)
Lovable API key exposure usually means a Supabase service_role key in frontend code or a VITE_-prefixed secret baked into your client bundle. Step-by-step fix: find, rotate, and move secrets server-side.
How-To GuidesHow to Fix Bolt.new API Key Exposure (2026)
Bolt.new API key exposure usually means a VITE_-prefixed secret baked into your client bundle or a service_role key used in frontend code. Step-by-step fix: find, rotate, and move secrets server-side.
How-To GuidesHow to Fix Cursor API Key Exposure (2026)
Cursor AI-generated code often exposes API keys in three ways: hardcoded in source files, sent to the client via NEXT_PUBLIC_ or VITE_ prefixes, or committed to git in .env files. Step-by-step fix.
How-To GuidesHow to Fix Railway API Key Exposure (2026)
Railway API key exposure usually comes from VITE_/NEXT_PUBLIC_ prefixes baking secrets into your client bundle. Step-by-step fix: audit, rotate, move to server-side env vars.
How-To GuidesGetting Started
Start your security journey here
Your First Security Scan: A Step-by-Step Guide
Run your first security scan on your vibe-coded app. This guide walks you through the process, what to expect, and how to interpret the results.
Common Security Mistakes in Vibe-Coded Apps
The security mistakes we see in almost every vibe-coded app. Learn what they are, why they happen, and how to avoid them in your AI-built applications.
Do I Actually Need a Security Scanner?
An honest look at when you need a security scanner and when you don't. If your app handles user data, auth, or payments, the answer is probably yes.
5-Minute Security Quick Wins
Fast security improvements you can make right now. These quick fixes take 5 minutes or less but significantly improve your vibe-coded app's security.
What is Vibe Coding? A Complete Introduction
Vibe coding means building apps with AI tools like Cursor, Bolt, and Lovable. Learn what it is, how it works, and why security matters for vibe coders.
Why Security Matters for Vibe Coders
Security isn't optional for AI-built apps. Learn why vibe-coded apps face unique risks and what happens when security is ignored.
How-To Guides
Step-by-step security guides for your stack
How to Hide API Keys - Secure Your Secrets
Step-by-step guide to hiding API keys in your web app. Use environment variables, .gitignore, and platform secrets to keep your keys safe from exposure.
How to Add Security Headers to Your Web App
Step-by-step guide to adding security headers. Protect against XSS, clickjacking, and MIME sniffing with CSP, X-Frame-Options, HSTS, and more. Includes code examples for Express, Next.js, and nginx.
How to Prevent SQL Injection in Your App
Step-by-step guide to preventing SQL injection. Parameterized queries, ORMs, input validation, and common mistakes that leave your database vulnerable.
How to Protect Against XSS Attacks
Step-by-step guide to preventing XSS in React and Next.js. Sanitizing user input, Content Security Policy, and common XSS patterns to avoid.
How to Add Secure Authentication to Next.js
Step-by-step guide to adding secure authentication to Next.js apps. NextAuth setup, middleware protection, session handling, and common security mistakes.
How to Set Up CORS Properly
Step-by-step guide to configuring CORS in Next.js, Express, and serverless functions. Avoid security mistakes and fix common CORS errors.
Is It Safe?
Security assessments of popular tools and services
Is Bolt.new Safe? Security Analysis for AI App Builder
Is Bolt.new safe for production apps? Complete security analysis covering code quality, deployment security, and what you need to know before shipping a Bolt app.
Is Cursor Safe? Security Analysis for AI Code Editor
Is Cursor safe for production code? Complete security analysis of Cursor AI editor covering data privacy, code security, and what you need to know before using it.
Is Supabase Safe? Security Analysis
Is Supabase safe for production? Security analysis covering Row Level Security, authentication, and common misconfigurations in Supabase projects.
Is Firebase Safe? Security Analysis
Is Firebase safe for production? Security analysis covering Firestore rules, Authentication, and common security issues in Firebase projects.
Is Vercel Safe? Security Analysis
Is Vercel safe for production? Security analysis covering deployment security, environment variables, edge functions, and preview deployments.
Is GitHub Copilot Safe? Security Analysis
Is GitHub Copilot safe to use? Security analysis covering code privacy, suggestion quality, licensing concerns, and enterprise security features.
Best Practices
Security best practices for modern web apps
Authentication Best Practices: Secure Login, Sessions, and Token Management
Authentication security best practices. Learn secure password handling, session management, JWT patterns, and OAuth implementation for web applications.
API Security Best Practices: Authentication, Validation, and Rate Limiting
Essential API security best practices. Learn authentication patterns, input validation, rate limiting, and error handling for secure REST and GraphQL APIs.
Environment Variable Best Practices: Secrets, Configuration, and Security
Environment variable security best practices. Learn to manage secrets, configure applications securely, and avoid common env var mistakes across platforms.
Secrets Management Best Practices: API Keys, Credentials, and Vaults
Secrets management best practices. Learn how to store API keys, rotate credentials, use secret vaults, and prevent secret leaks in code.
Database Security Best Practices: SQL Injection, Access Control, and Encryption
Essential database security best practices. Learn to prevent SQL injection, implement access controls, encrypt sensitive data, and secure your database connections.
Next.js Security Best Practices: API Routes, Auth, and Data Protection
Complete Next.js security best practices. Learn to secure API routes, protect environment variables, implement authentication, and deploy safely.
Vulnerability Guides
Common security vulnerabilities explained
Exposed API Keys Explained: The #1 Vibe Coding Vulnerability
API key exposure is the most common security issue in AI-generated code. Learn what exposed API keys are, why they're dangerous, and how to fix them fast.
45% of AI-Generated Code Has Security Flaws: What the Research Says
Veracode found that 45% of AI-assisted code contains security flaws. Stanford research confirms AI coding assistants produce less secure code. Here's what the data shows and what to do about it.
Agentic AI Security Risks: What Cursor Agent, Devin, and Codex Mean for Your Code
AI agents don't just suggest code. They write features, install packages, and modify configs autonomously. Here's the new attack surface this creates and what developers should do about it.
SQL Injection Explained: How Attackers Manipulate Your Database
SQL injection lets attackers read, modify, or delete your database through input fields. Learn how SQLi works and how to protect your vibe-coded app with parameterized queries.
Cross-Site Scripting (XSS) Explained in Plain English
XSS attacks let hackers inject malicious scripts into your web pages. Learn how XSS works, see real examples, and discover how to protect your vibe-coded app.
Broken Access Control Explained
Broken access control is the #1 web security risk. It happens when users can access resources or actions they should not be authorized for. Learn how to fix it.
Security Checklists
Printable security verification lists
Pre-Deployment Security Checklist: 26-Item Guide Before Going Live
Complete pre-deployment security checklist for web applications. 26 essential items to check before deploying your vibe-coded app to production.
API Security Checklist: 26-Item Guide for REST & GraphQL
Printable 26-item API security checklist for REST and GraphQL APIs. Authentication, authorization, input validation, rate limiting, and CORS configuration.
Authentication Security Checklist: 29-Item Guide
Complete authentication security checklist. Password handling, session management, OAuth configuration, MFA, and secure password reset flows.
AI Generated Code Security Checklist: 15-Item Guide Before Production
Security checklist for reviewing AI-generated code from Cursor, Bolt, Lovable, ChatGPT, or any AI coding tool before deploying to production.
MVP Security Checklist: 12-Item Guide for Minimum Viable Security
Security checklist for MVPs. The minimum security you need before launching your minimum viable product to real users.
Next.js Security Checklist: 18-Item Guide for App Router & Pages Router
Complete Next.js security checklist for both App Router and Pages Router. API routes, middleware, server components, and security headers.
Tool & Platform Guides
Security guides for specific tools and platforms
Supabase Security Guide: Row Level Security and Best Practices
Complete security guide for Supabase. Master Row Level Security (RLS), protect your API keys, and secure your database for production.
Cursor Security Guide: Securing AI-Assisted Code
Complete security guide for Cursor AI editor. Learn to review AI-generated code, protect secrets, and deploy secure applications built with Cursor.
Bolt.new Security Guide: Protecting Full-Stack AI Apps
Complete security guide for Bolt.new. Learn to secure AI-generated full-stack applications, protect database credentials, and deploy safely.
Firebase Security Guide: Firestore Rules and Authentication
Complete security guide for Firebase. Master Firestore security rules, secure authentication flows, and protect your Firebase project from common vulnerabilities.
Vercel Security Guide: Environment Variables and Edge Functions
Complete security guide for Vercel deployments. Learn to protect environment variables, secure serverless functions, and configure security headers for production.
NextAuth.js Security Guide for Vibe Coders
Secure your NextAuth.js authentication when vibe coding. Learn session security, callback protection, CSRF prevention, and common configuration mistakes to avoid.
Security Comparisons
Side-by-side security analysis of tools and services
Vibe Coding Security Scanners Compared: CheckYourVibe vs Competitors
An honest comparison of security scanning tools for vibe-coded apps in 2026. CheckYourVibe, VibeAppScanner, OWASP ZAP, Burp Suite, Snyk, and SonarQube compared.
Supabase vs Firebase Security: Complete Comparison
Compare Supabase and Firebase security models. Learn the differences in authentication, database security, and which is safer for your vibe-coded app.
Cursor vs GitHub Copilot Security: AI Coding Assistant Comparison
Compare Cursor and GitHub Copilot security. Learn which AI coding assistant handles your code more securely and what security risks each presents.
Vercel vs Netlify: Deployment Security Comparison 2025
Compare Vercel and Netlify security features for web deployment. Learn about edge security, environment variables, and enterprise options for vibe-coded apps.
Auth0 vs Firebase Auth: Security Comparison 2025
Compare Auth0 and Firebase Authentication security features. Learn about enterprise auth, consumer focus, and security tradeoffs for vibe-coded apps.
Bolt.new vs Lovable Security: AI App Generator Comparison
Compare Bolt.new and Lovable security. Learn which AI app generator produces more secure code and how to protect your generated applications.
Security Blueprints
Pre-built security configurations for common stacks
Next.js + Supabase + Vercel Security Blueprint
Security guide for Next.js + Supabase + Vercel stack. Configure RLS, secure Server Components and Actions, protect API routes, and deploy safely.
Bolt.new + Next.js + Supabase Security Blueprint
Security guide for Bolt.new + Next.js + Supabase stack. Configure RLS, secure Server Components, protect API routes, and handle authentication properly.
Cursor + Next.js + Supabase Security Blueprint
Security guide for Cursor + Next.js + Supabase stack. Configure RLS, secure Server Components, protect API routes, and handle authentication properly.
MERN Stack Security Blueprint
Security guide for MERN Stack (MongoDB, Express, React, Node.js). Prevent NoSQL injection, secure Express APIs, implement JWT auth, and protect your MERN app.
T3 Stack Security Blueprint
Security guide for T3 Stack (Next.js, tRPC, Prisma, NextAuth). Protect tRPC procedures, configure Prisma safely, implement NextAuth patterns, and secure your T3 app.
React + Firebase Security Blueprint
Security guide for React + Firebase stack. Configure Firestore rules, handle authentication, protect client-side data, and secure your React SPA.
Launch Security
Security checklists for shipping your app
Product Hunt Launch Security Checklist: 12 Items Before Launch Day
Security checklist for Product Hunt launches. 12 essential items to verify before your launch day to handle traffic spikes and prevent security embarrassments.
SaaS Launch Checklist: Security & Compliance Before Day One (2026)
SaaS launch security checklist for 2026. 20 items covering authentication, multi-tenant data isolation, payment security, and compliance before your app goes live.
Next.js Launch Security Checklist: 18 Items Before Going Live
Pre-launch security checklist for Next.js applications. 18 essential items covering API routes, middleware, environment variables, and deployment security.
Bolt.new App Launch Security Checklist: 16 Items Before Going Live
Pre-launch security checklist for Bolt.new apps. 16 critical items to check before deploying your Bolt-generated application to production.
Hacker News Launch Security Checklist: 12 Items Before Posting
Security checklist for Hacker News launches. 12 essential items to verify before posting your Show HN, including handling technical scrutiny and traffic spikes.
Public Launch Security Checklist: 16 Items Before Going Live
Security checklist for public product launches. 16 essential items to verify before opening your product to the world, from security basics to scale readiness.
Security Cost Analysis
The financial impact of security issues
Cost of Data Breach for Startups: Real Numbers and Survival Guide
Data breaches cost startups $50,000 to $500,000+. Learn the real financial impact, what makes startup breaches different, and how to reduce your risk.
Cost of API Key Exposure: Real Financial Impact for Startups
Exposed API keys cost startups $500 to $50,000+ in direct charges, plus reputation damage. Learn the real financial impact and how to prevent it.
Cost of Fixing Security Later vs Now: Technical Debt Calculator
Security debt compounds at 5-10x per month. Learn why fixing security issues now costs 90% less than fixing them later, with real cost breakdowns.
Cost of Skipping Security Scans: Why Free Prevention Beats Expensive Fixes
Skipping security scans costs startups 10-100x more in eventual fixes. Learn the ROI of regular scanning and why most security issues are caught too late.
Prevention vs Cure: ROI of Proactive Security for Startups
Proactive security costs 10-50x less than incident response. Learn the real ROI of prevention vs cure for startup security investments.
Cost of AWS Credential Abuse: Crypto Mining Bills and Cloud Attacks
AWS credential abuse costs $5,000-100,000+ in cloud bills. Learn how attackers exploit exposed AWS keys for crypto mining and how to protect yourself.
Security Stories
Real-world security incidents and lessons
OpenClaw's 900 Malicious npm Packages: What Vibe Coders Need to Know
The OpenClaw campaign published roughly 900 malicious npm packages designed to steal credentials and install backdoors. Here's why vibe coders are especially at risk and how to protect yourself.
When My Stripe API Key Got Leaked
A founder's story of discovering their Stripe secret key was exposed in a public GitHub repo. The panic, the response, and the lessons learned.
The $12,000 AWS Bill That Changed Everything
How an exposed AWS credential led to a cryptocurrency mining operation on my account. The shocking bill, the investigation, and how I got most of it refunded.
What Hackers Look for in Vibe Coded Apps
A look at how attackers find and exploit vulnerabilities in AI-generated applications. Understanding the attacker mindset to build better defenses.
The Day My Database Was Exposed
A startup founder discovers their Supabase database was publicly accessible. No RLS, no auth checks. User data was exposed for three weeks before anyone noticed.
How a Lovable App Exposed 18,000 Users, Including Students
A Lovable-hosted exam app had 16 vulnerabilities including backwards authentication logic that blocked logged-in users and let anonymous visitors access everything. 18,697 user records leaked, including K-12 students.
AI Fix Prompts
Copy-paste prompts to fix security issues with AI coding tools
Fix Exposed API Keys with AI Prompts
Copy-paste AI prompts to fix exposed API keys in your code. Works with Cursor, Claude, and ChatGPT to move hardcoded secrets to environment variables.
Fix SQL Injection Vulnerabilities with AI Prompts
AI prompts to find and fix SQL injection vulnerabilities in your code. Convert unsafe queries to parameterized statements and protect your database.
Fix XSS Vulnerabilities with AI Prompts
AI prompts to fix Cross-Site Scripting (XSS) vulnerabilities. Escape output, sanitize input, and implement CSP to prevent script injection attacks.
Fix CORS Issues Securely with AI Prompts
AI prompts to fix CORS issues without compromising security. Understand Cross-Origin Resource Sharing and configure it properly for your API.
Remove Hardcoded Secrets with AI Prompts
AI prompts to find and remove hardcoded secrets from your codebase. Migrate credentials to environment variables and clean git history.
Add Security Headers with AI Prompts
AI prompts to add essential security headers. Configure CSP, HSTS, X-Frame-Options, and other headers to protect your application from common attacks.
Security Glossary
Plain English definitions of security terms
What is XSS (Cross-Site Scripting)? Security Guide
Learn what XSS attacks are, how they work, and how to prevent cross-site scripting in your web app. Plain English security guide for developers.
What is SQL Injection? Database Security Guide
Learn what SQL injection attacks are, how they work, and how to prevent them with parameterized queries. Essential security knowledge for developers.
What is CORS? Cross-Origin Resource Sharing Explained
Learn what CORS is, why browsers block cross-origin requests, and how to configure CORS properly. Avoid the common security mistakes.
What is a JWT (JSON Web Token)? Authentication Guide
Learn what JWTs are, how they work for authentication, and common security mistakes to avoid. Plain English guide for developers.
What is CSRF (Cross-Site Request Forgery)? Security Guide
Learn what CSRF attacks are, how they trick users into unwanted actions, and how to protect your app with tokens and SameSite cookies.
What is an API Key? Plain English Security Guide
Learn what API keys are, why they matter for security, and how to protect them. A simple explanation for non-technical founders building with AI tools.