~ You'll understand this in 9 minutes
TL;DR
The top 5 mistakes we see in vibe-coded apps: (1) exposed API keys in frontend code, (2) missing database security (no RLS), (3) no authentication on sensitive endpoints, (4) secrets committed to git, and (5) trusting user input without validation. Each of these can lead to data breaches or financial loss.
CheckYourVibe defines common security mistakes as the recurring vulnerabilities we find in the majority of AI-generated applications. These aren't advanced attack vectors. They're fundamental oversights that AI tools consistently produce because they optimize for functionality over security. Understanding these patterns is the first step to building secure vibe-coded apps.
Based on analysis of 50,000+ vibe-coded applications scanned by CheckYourVibe.
Why These Mistakes Happen
AI tools are optimized for one thing: making code that works. When you ask for a feature, the AI delivers functional code quickly. But it doesn't think about who might abuse that feature or what data needs protection.
These aren't obscure vulnerabilities. They're basic security gaps that AI-generated code almost always has. Here are the five mistakes we see most often and how to fix them.
Mistake #1: API Keys in Frontend Code
AI tools often put API keys directly in frontend JavaScript where anyone can see them by viewing page source.
Why it's dangerous: Anyone can copy your key and use it. For OpenAI, this means you pay for their usage. For Stripe, they could make charges. For AWS, they could spin up expensive resources.
How to Fix
Move API calls to a server-side endpoint. Use environment variables for keys. Never expose secret keys (those starting with sk_ or containing "secret") to the frontend.
Mistake #2: Missing Database Security (No RLS)
Supabase and Firebase apps often have Row Level Security disabled, meaning anyone can read or modify all data.
Why it's dangerous: Your Supabase URL and anon key are public (they're meant to be). Without RLS, anyone can query your database directly and access all user data.
How to Fix
Enable RLS on every table. Create policies that restrict access based on user authentication. See our Supabase RLS setup guide for step-by-step instructions.
Mistake #3: Unprotected API Endpoints
API routes that should require authentication are left open, allowing anyone to access sensitive functionality.
Why it's dangerous: Attackers can call your API directly, bypassing your UI. If endpoints don't verify authentication, they can delete data, access private information, or perform admin actions.
How to Fix
Add authentication checks to every sensitive endpoint. Verify the user's session token and check they have permission for the requested action before processing.
Mistake #4: Secrets Committed to Git
.env files or hardcoded secrets accidentally get committed to version control and pushed to GitHub.
Why it's dangerous: Git history is permanent. Even if you delete the file, the secrets remain in history. Bots constantly scan GitHub for exposed credentials and exploit them within minutes.
How to Fix
Add .env to .gitignore before creating it. If secrets were committed, rotate them immediately (create new keys and delete old ones). Consider using git-filter-repo to remove secrets from history.
Mistake #5: Trusting User Input
User input is used directly in database queries, HTML rendering, or system commands without validation.
Why it's dangerous: SQL injection lets attackers read, modify, or delete your entire database. XSS lets attackers run JavaScript in other users' browsers to steal sessions or data.
How to Fix
Use parameterized queries for SQL. Sanitize and escape user input before rendering in HTML. Validate that inputs match expected formats before processing.
Why AI Doesn't Catch These
You might wonder why AI tools create these vulnerabilities. The answer is simple: AI is trained to solve the problem you describe, not to imagine how someone might abuse the solution.
When you ask for a "user login system," the AI builds something that lets users log in. It doesn't automatically add:
- Rate limiting to prevent brute force attacks
- Secure password hashing
- Session timeout and management
- Protection against credential stuffing
These security features have to be explicitly requested or added manually.
Pro tip: When prompting AI tools, explicitly ask for security features. Instead of "build a login system," try "build a secure login system with rate limiting, bcrypt password hashing, and secure session management."
How to Find These Mistakes in Your App
- Run a security scan: Automated scans catch exposed secrets, missing RLS, and many common vulnerabilities
- Search your codebase: Look for hardcoded keys, console.log statements, and localhost URLs
- Check git history: Search for accidentally committed secrets
- Review authentication: List all API endpoints and verify each checks authentication
- Test database access: Try querying your database without authentication to see what's exposed
What is the most common security mistake in vibe-coded apps?
The most common mistake is exposed API keys. AI tools often generate code with placeholder keys or put secret keys directly in frontend code where anyone can see them. This can lead to unauthorized charges and abuse of your services.
Why do vibe-coded apps have so many security issues?
AI tools prioritize making code work over making it secure. They generate functional applications but often skip security best practices like input validation, proper authentication, and secure database configuration. The builder must add security themselves.
How can I avoid these common mistakes?
Run a security scan to identify issues, use environment variables for all secrets, enable Row Level Security on your database, add authentication to sensitive endpoints, and validate all user inputs. Review AI-generated code specifically for security gaps.
What should I do if I've already made these mistakes?
Fix them immediately. Rotate any exposed API keys. Enable RLS on your database tables. Add authentication to unprotected endpoints. Remove secrets from git history if possible. Then run a security scan to verify the fixes worked.
:: ::
Find Mistakes Before Users Do
Scan your app for these common security issues and more.
Start Free Scan