Security Blog
Guides, stories, and tools to help you build secure apps — even when you're vibe coding.
589 articles across 14 topicsHow a Lovable App Exposed 18,000 Users, Including Students
A Lovable-hosted exam app had 16 vulnerabilities including backwards authentication logic that blocked logged-in users and let anonymous visitors access everything. 18,697 user records leaked, including K-12 students.
Read the full story →Latest Articles
MCP Servers Are the New Attack Surface: How to Secure Your AI Tool Integrations
MCP servers give AI tools direct access to your infrastructure. Learn the security risks and how to protect your databases, APIs, and secrets from malicious MCP servers.
Best PracticesVibe Coding Security Debt: Why 25% of AI-Generated Code Has Flaws (and How to Fix It)
Research shows 25% of AI-generated code contains security vulnerabilities. Learn the 5 most common flaws in vibe-coded apps and how to fix them before they cost you.
Best PracticesHow Attackers Used AI to Breach 50,000 FortiGate Firewalls
In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it matters for every app builder.
Security StoriesWhy AI Code Generators Keep Exposing Your API Keys (and How to Stop It)
AI code generators like Cursor, Bolt, and Lovable frequently hardcode API keys in client-side code. Learn why this happens and 5 proven strategies to prevent it.
Best PracticesHow Moltbook Exposed 1.5 Million API Keys in Client-Side Code
Moltbook launched with their Supabase database wide open. No Row Level Security. 1.5 million API keys exposed in client-side JavaScript. A basic scan would have caught this before launch.
Security StoriesAPI Security Best Practices: Authentication, Validation, and Rate Limiting
Essential API security best practices. Learn authentication patterns, input validation, rate limiting, and error handling for secure REST and GraphQL APIs.
Best PracticesHow-To Guides
Step-by-step security guides for your stack
How to Hide Your API Keys (The Right Way)
Step-by-step guide to securing API keys in your vibe-coded app. Learn environment variables, .gitignore, and platform-specific secret management.
How to Add Secure Authentication to Next.js
Step-by-step guide to adding secure authentication to Next.js apps. NextAuth setup, middleware protection, session handling, and common security mistakes.
How to Add Security Headers to Your Web App
Step-by-step guide to adding security headers. Protect against XSS, clickjacking, and MIME sniffing with CSP, X-Frame-Options, HSTS, and more. Includes code examples for Express, Next.js, and nginx.
API Key Security Best Practices
Comprehensive guide to API key security. Learn storage, rotation, scoping, monitoring, and incident response best practices to protect your application.
Security Blueprints
Pre-built security configurations for common stacks
Astro + Supabase Security Blueprint
Security guide for Astro sites with Supabase. Configure RLS, secure server endpoints, handle hybrid rendering auth, and protect your Astro app with proper security patterns.
Auth0 + Next.js Integration Security
Security guide for integrating Auth0 with Next.js. Configure @auth0/nextjs-auth0, protect API routes, handle tokens securely, and implement proper session management.
Bolt.new + Convex Security Blueprint
Security guide for Bolt.new + Convex stack. Configure function visibility, implement authentication, protect data access, and secure your Bolt-generated Convex app.
Bolt.new + Firebase Security Blueprint
Security guide for Bolt.new + Firebase stack. Configure Firestore rules, protect credentials, handle authentication, and secure your Bolt-generated Firebase app.
AI Fix Prompts
Copy-paste prompts to fix security issues with AI coding tools
Add Auth Middleware with AI Prompts
AI prompts to add authentication middleware. Protect your API routes, server actions, and pages with reusable auth checks.
Add Content Security Policy with AI Prompts
AI prompts to implement Content Security Policy headers. Prevent XSS, clickjacking, and other injection attacks with proper CSP configuration.
Add CSRF Protection with AI Prompts
AI prompts to implement CSRF protection. Prevent cross-site request forgery with tokens, SameSite cookies, and origin validation.
Add Secure Error Handling with AI Prompts
AI prompts to implement secure error handling. Hide sensitive details from users while logging what you need for debugging.
Security Comparisons
Side-by-side security analysis of tools and services
Bolt.new vs Lovable Security: AI App Generator Comparison
Compare Bolt.new and Lovable security. Learn which AI app generator produces more secure code and how to protect your generated applications.
Cursor vs Bolt.new Security: IDE vs App Generator Comparison
Compare Cursor and Bolt.new security. Understand the security differences between AI-assisted coding in an IDE vs AI app generation platforms.
Cursor vs GitHub Copilot Security: AI Coding Assistant Comparison
Compare Cursor and GitHub Copilot security. Learn which AI coding assistant handles your code more securely and what security risks each presents.
Firebase vs MongoDB Security: Document Database Comparison
Compare Firebase and MongoDB security features. Learn the differences between Firestore security rules and MongoDB access control for your app.
Security Glossary
Plain English definitions of security terms
Vibe Coding Security Glossary - Plain English Definitions
Security terms explained for non-technical founders. From API keys to XSS, learn what security jargon actually means in plain English.
What is an API Key? Plain English Security Guide
Learn what API keys are, why they matter for security, and how to protect them. A simple explanation for non-technical founders building with AI tools.
What is an Audit Log? Security Logging Basics
Learn what audit logs are, why they matter for security and compliance, and how to implement effective logging in your application.
What is Authentication? Security Guide for Developers
Learn what authentication means, how it differs from authorization, and why it matters for your app security. Plain English guide for vibe coders.
Tool & Platform Guides
Security guides for specific tools and platforms
Aider Security Guide: Terminal AI Pair Programming
Security guide for Aider CLI users. Learn about API key protection, code review practices, and secure development with this terminal-based AI coding assistant.
Bubble Security Guide: No-Code App Protection
Security guide for Bubble.io users. Learn about privacy rules, API security, and protecting your no-code application from common vulnerabilities.
Claude Code Security Guide: Protecting AI-Generated Projects
Security guide for Claude Code users. Learn how to review AI-generated code, protect secrets, and deploy secure applications built with Claude's coding assistant.
Amazon CodeWhisperer Security Guide: AWS AI Coding
Security guide for Amazon CodeWhisperer users. Learn about AWS integration, security scanning features, and secure development with AWS's AI coding assistant.
Security Checklists
Printable security verification lists
Acquired Codebase Security Checklist: 20-Item Audit Guide
Security audit checklist for acquired codebases. Review credentials, dependencies, access controls, and vulnerabilities before integrating inherited projects.
AI Generated Code Security Checklist: 15-Item Guide Before Production
Security checklist for reviewing AI-generated code from Cursor, Bolt, Lovable, ChatGPT, or any AI coding tool before deploying to production.
API Security Checklist: 26-Item Guide for REST & GraphQL
Printable 26-item API security checklist for REST and GraphQL APIs. Authentication, authorization, input validation, rate limiting, and CORS configuration.
Authentication Security Checklist: 29-Item Guide
Complete authentication security checklist. Password handling, session management, OAuth configuration, MFA, and secure password reset flows.
Security Stories
Real-world security incidents and lessons
How a Lovable App Exposed 18,000 Users, Including Students
A Lovable-hosted exam app had 16 vulnerabilities including backwards authentication logic that blocked logged-in users and let anonymous visitors access everything. 18,697 user records leaked, including K-12 students.
How Attackers Used AI to Breach 50,000 FortiGate Firewalls
In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it matters for every app builder.
How Moltbook Exposed 1.5 Million API Keys in Client-Side Code
Moltbook launched with their Supabase database wide open. No Row Level Security. 1.5 million API keys exposed in client-side JavaScript. A basic scan would have caught this before launch.
Why I Almost Gave Up on Security
The emotional journey of dealing with security as a solo founder. The overwhelm, the near-surrender, and how I found a sustainable approach.
Vulnerability Guides
Common security vulnerabilities explained
API Authentication Bypass Explained
API authentication bypass lets attackers access protected endpoints without proper credentials. Learn about common bypass techniques and how to prevent them.
Broken Access Control Explained
Broken access control is the #1 web security risk. It happens when users can access resources or actions they should not be authorized for. Learn how to fix it.
Broken Authentication Explained: When Login Security Fails
Broken authentication lets attackers bypass login systems, take over accounts, or impersonate users. Learn the common auth failures in vibe-coded apps and how to fix them.
Clickjacking Explained
Clickjacking tricks users into clicking hidden elements on your site embedded in malicious pages. Learn how to prevent it with X-Frame-Options and CSP headers.
Launch Security
Security checklists for shipping your app
Beta Launch Security Checklist: 14 Items Before Inviting Beta Users
Security checklist for beta launches. 14 essential items to verify before inviting your first beta users, including data protection and feedback handling.
Bolt.new App Launch Security Checklist: 16 Items Before Going Live
Pre-launch security checklist for Bolt.new apps. 16 critical items to check before deploying your Bolt-generated application to production.
Cursor App Launch Security Checklist: 18 Items Before Going Live
Pre-launch security checklist for Cursor-built apps. 18 essential items to verify before deploying your AI-generated application to production.
Firebase Backend Launch Security Checklist: 16 Items Before Going Live
Pre-launch security checklist for Firebase backends. 16 essential items covering security rules, authentication, API keys, and production configuration.
Is It Safe?
Security assessments of popular tools and services
Is Auth0 Safe? Security Analysis
Is Auth0 safe for authentication? Security analysis covering token security, tenant configuration, and identity management best practices.
Is Bolt.new Safe? Security Analysis for AI App Builder
Is Bolt.new safe for production apps? Complete security analysis covering code quality, deployment security, and what you need to know before shipping a Bolt app.
Is ChatGPT Safe for Code? Security Analysis
Is ChatGPT safe for generating code? Security analysis of OpenAI's ChatGPT for coding tasks covering code quality, data privacy, and production readiness.
Is Claude Code Safe? Security Analysis for Anthropic's AI
Is Claude safe for generating code? Security analysis of Anthropic's Claude for coding tasks, covering code quality, safety features, and production readiness.
Security Cost Analysis
The financial impact of security issues
Free Tier Security: Building Startup Security on $0
You can build solid security with free tools. Learn which free tiers actually work for startups and how to maximize protection with zero budget.
Security Tooling Costs: What Startups Should Actually Spend
Security tools for startups range from free to $50,000+/year. Learn what to prioritize at each stage, from free tiers to enterprise solutions.
API Abuse Charges: When Your Free Tier Becomes a Nightmare
API abuse from bots and attackers can turn your $0 budget into $10,000+ in unexpected charges. Learn how to protect against API abuse and set up spending limits.
Cost of API Key Exposure: Real Financial Impact for Startups
Exposed API keys cost startups $500 to $50,000+ in direct charges, plus reputation damage. Learn the real financial impact and how to prevent it.
Best Practices
Security best practices for modern web apps
MCP Servers Are the New Attack Surface: How to Secure Your AI Tool Integrations
MCP servers give AI tools direct access to your infrastructure. Learn the security risks and how to protect your databases, APIs, and secrets from malicious MCP servers.
Vibe Coding Security Debt: Why 25% of AI-Generated Code Has Flaws (and How to Fix It)
Research shows 25% of AI-generated code contains security vulnerabilities. Learn the 5 most common flaws in vibe-coded apps and how to fix them before they cost you.
Why AI Code Generators Keep Exposing Your API Keys (and How to Stop It)
AI code generators like Cursor, Bolt, and Lovable frequently hardcode API keys in client-side code. Learn why this happens and 5 proven strategies to prevent it.
API Security Best Practices: Authentication, Validation, and Rate Limiting
Essential API security best practices. Learn authentication patterns, input validation, rate limiting, and error handling for secure REST and GraphQL APIs.
Getting Started
Start your security journey here
Common Security Mistakes in Vibe-Coded Apps
The security mistakes we see in almost every vibe-coded app. Learn what they are, why they happen, and how to avoid them in your AI-built applications.
Your First Security Scan: A Step-by-Step Guide
Run your first security scan on your vibe-coded app. This guide walks you through the process, what to expect, and how to interpret the results.
5-Minute Security Quick Wins
Fast security improvements you can make right now. These quick fixes take 5 minutes or less but significantly improve your vibe-coded app's security.
Security Glossary: Plain-English Definitions
Security terms explained in plain English for non-technical founders. A reference guide for common security concepts you'll encounter when building apps.