[{"data":1,"prerenderedAt":266},["ShallowReactive",2],{"blog-stories/100-scans-lessons":3},{"id":4,"title":5,"body":6,"category":246,"date":247,"dateModified":248,"description":249,"draft":250,"extension":251,"faq":252,"featured":250,"headerVariant":246,"image":252,"keywords":252,"meta":253,"navigation":254,"ogDescription":255,"ogTitle":252,"path":256,"readTime":252,"schemaOrg":257,"schemaType":258,"seo":259,"sitemap":260,"stem":261,"tags":262,"twitterCard":264,"__hash__":265},"blog/blog/stories/100-scans-lessons.md","What I Learned Scanning 100 Vibe Coded Projects",{"type":7,"value":8,"toc":231},"minimark",[9,16,19,24,44,47,51,56,59,66,70,73,77,80,96,100,103,107,110,114,117,131,155,159,162,179,182,204,223],[10,11,12],"tldr",{},[13,14,15],"p",{},"After scanning 100 projects built with AI coding tools (Cursor, Bolt, v0, Lovable, etc.), I found consistent vulnerability patterns. 78% had exposed API keys, 65% lacked rate limiting, 52% had broken authentication. AI tools are great at generating functional code but consistently miss security best practices unless explicitly prompted.",[13,17,18],{},"Vibe coding is amazing. You describe what you want, and AI generates a working application. But does working mean secure? I scanned 100 projects to find out, and the results were eye-opening.",[20,21,23],"h2",{"id":22},"the-numbers","The Numbers",[25,26,27,32,36,40],"stat-grid",{},[28,29],"stat-card",{"label":30,"number":31},"Exposed API keys","78%",[28,33],{"label":34,"number":35},"No rate limiting","65%",[28,37],{"label":38,"number":39},"Auth vulnerabilities","52%",[28,41],{"label":42,"number":43},"Missing input validation","47%",[13,45,46],{},"These aren't cherry-picked examples. They're consistent patterns across projects built with different AI tools, by developers of varying experience levels.",[20,48,50],{"id":49},"top-5-vulnerabilities-in-vibe-coded-projects","Top 5 Vulnerabilities in Vibe Coded Projects",[52,53,55],"h3",{"id":54},"_1-exposed-api-keys-78-of-projects","1. Exposed API Keys (78% of projects)",[13,57,58],{},"The most common issue by far. API keys for OpenAI, Stripe, Supabase, and other services hardcoded in client-side JavaScript or committed to repositories.",[60,61,63],"finding-box",{"title":62},"Why AI Does This",[13,64,65],{},"AI tools generate working code based on documentation examples, which often show inline API keys for simplicity. Without explicit prompting about environment variables, the AI takes the path of least resistance.",[52,67,69],{"id":68},"_2-missing-rate-limiting-65-of-projects","2. Missing Rate Limiting (65% of projects)",[13,71,72],{},"API endpoints that can be called unlimited times, vulnerable to abuse, scraping, and DDoS-like attacks. Particularly dangerous for AI-powered features with per-request costs.",[52,74,76],{"id":75},"_3-authentication-issues-52-of-projects","3. Authentication Issues (52% of projects)",[13,78,79],{},"Common problems included:",[81,82,83,87,90,93],"ul",{},[84,85,86],"li",{},"JWT tokens stored in localStorage (vulnerable to XSS)",[84,88,89],{},"Missing session expiration",[84,91,92],{},"User enumeration via login error messages",[84,94,95],{},"Password reset tokens that don't expire",[52,97,99],{"id":98},"_4-no-input-validation-47-of-projects","4. No Input Validation (47% of projects)",[13,101,102],{},"User input passed directly to database queries, APIs, or rendered in HTML without sanitization. Creates XSS, SQL injection, and NoSQL injection vulnerabilities.",[52,104,106],{"id":105},"_5-broken-access-control-41-of-projects","5. Broken Access Control (41% of projects)",[13,108,109],{},"Users able to access or modify other users' data by changing IDs in URLs or API requests. The classic IDOR (Insecure Direct Object Reference) vulnerability.",[20,111,113],{"id":112},"why-ai-misses-security","Why AI Misses Security",[13,115,116],{},"AI coding tools are trained to generate functional code that accomplishes the stated goal. Security is often implicit in professional development but explicit prompting is required for AI:",[81,118,119,122,125,128],{},[84,120,121],{},"User asks for \"a user login system\" not \"a secure user login system with rate limiting, proper session management, and protection against common attacks\"",[84,123,124],{},"Documentation examples prioritize clarity over security",[84,126,127],{},"AI optimizes for working code, not defensive code",[84,129,130],{},"Security edge cases aren't part of typical feature requests",[132,133,135],"lesson-box",{"title":134},"How to Get Secure AI-Generated Code",[81,136,137,140,143,146,149,152],{},[84,138,139],{},"Explicitly mention security requirements in your prompts",[84,141,142],{},"Ask AI to \"review this code for security vulnerabilities\"",[84,144,145],{},"Use follow-up prompts: \"What security issues might this have?\"",[84,147,148],{},"Always scan generated code before deployment",[84,150,151],{},"Don't assume AI knows best practices - verify",[84,153,154],{},"Add security-specific prompts: \"use environment variables for secrets\"",[20,156,158],{"id":157},"the-good-news","The Good News",[13,160,161],{},"Most vulnerabilities in vibe coded projects are fixable with straightforward changes. The issues aren't architectural nightmares - they're missing best practices that can be added after the fact:",[81,163,164,167,170,173,176],{},[84,165,166],{},"Move API keys to environment variables",[84,168,169],{},"Add rate limiting middleware",[84,171,172],{},"Implement proper input validation",[84,174,175],{},"Add authorization checks to API endpoints",[84,177,178],{},"Use secure session management",[13,180,181],{},"The key is catching these issues before deployment, not after your first security incident.",[183,184,185,192,198],"faq-section",{},[186,187,189],"faq-item",{"question":188},"Which AI coding tools generate the most secure code?",[13,190,191],{},"In my testing, security varied more by prompt quality than by tool. All tools generated insecure code with basic prompts and improved significantly with security-specific prompts. No tool is secure by default.",[186,193,195],{"question":194},"Should I stop using AI for coding?",[13,196,197],{},"No. AI coding tools dramatically increase productivity. Just add security review to your workflow. Think of AI as a very fast junior developer who needs code review before anything goes to production.",[186,199,201],{"question":200},"How do I prompt AI for secure code?",[13,202,203],{},"Be explicit: \"Create a login system with rate limiting, secure session management, protection against brute force attacks, and proper password hashing using bcrypt.\" Also ask follow-up questions about security specifically.",[205,206,207,213,218],"related-articles",{},[208,209],"related-card",{"description":210,"href":211,"title":212},"Real-world example: AI-generated auth was backwards, 18,697 records leaked.","/blog/stories/lovable-app-exposed-18000-users","How a Lovable App Exposed 18,000 Users",[208,214],{"description":215,"href":216,"title":217},"Supabase wide open, no RLS. The exact pattern we see across vibe-coded apps.","/blog/stories/moltbook-exposed-api-keys","How Moltbook Exposed 1.5 Million API Keys",[208,219],{"description":220,"href":221,"title":222},"What to check before you launch anything","/blog/checklists/pre-deployment-security-checklist","Pre-Deployment Security Checklist",[224,225,228],"cta-box",{"href":226,"label":227},"/","Check Your Vibe Now",[13,229,230],{},"Find the vulnerabilities AI missed before attackers do.",{"title":232,"searchDepth":233,"depth":233,"links":234},"",2,[235,236,244,245],{"id":22,"depth":233,"text":23},{"id":49,"depth":233,"text":50,"children":237},[238,240,241,242,243],{"id":54,"depth":239,"text":55},3,{"id":68,"depth":239,"text":69},{"id":75,"depth":239,"text":76},{"id":98,"depth":239,"text":99},{"id":105,"depth":239,"text":106},{"id":112,"depth":233,"text":113},{"id":157,"depth":233,"text":158},"stories","2026-01-05","2026-01-27","After scanning 100 AI-generated projects, clear patterns emerged. Here are the most common vulnerabilities in vibe coded apps and how to avoid them.",false,"md",null,{},true,"The most common vulnerabilities in AI-generated projects.","/blog/stories/100-scans-lessons","[object Object]","BlogPosting",{"title":5,"description":249},{"loc":256},"blog/stories/100-scans-lessons",[263],"Research","summary_large_image","uSZCbeQf10K8eqlniZN9UeneGeKqO2NX1RgJOD2Bcms",1775843937556]