The 5 Production Bugs Hiding in Every Vibe-Coded App
AI coding tools ship features fast. They don't ship security. Here's what to check before your app goes live.
Why this keeps happening
Cursor, Bolt, Lovable, and v0 are incredible at building features. You say "add Razorpay payments" and ten seconds later there's a working checkout. The AI optimizes for "does it work?" — not "is it safe to ship?"
The result is the same problems showing up in nearly every AI-built app I've looked at. The fix is usually 5 minutes of work. But you have to know the problem exists first.
1. Supabase anon keys without RLS
The most common pattern. The app uses Supabase, the anon key is in the client bundle (which is fine — that's how it's supposed to work), but Row Level Security is never enabled on the tables.
The result: any visitor can hit your REST API directly with the public key and read every row in your database.
Fix: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY; then add a policy: CREATE POLICY "Users see own rows" ON your_table FOR SELECT USING (auth.uid() = user_id);
2. Razorpay test keys in production
You set up Razorpay in development. The AI hardcoded rzp_test_ in your config. You deployed. The keys are still test keys. Your customers can't actually pay.
Worse case: rzp_live_ ends up in client-side JavaScript. Anyone can extract it from the browser and make charges on your account.
Fix: Move all Razorpay keys to environment variables. Use NEXT_PUBLIC_RAZORPAY_KEY_ID for the key ID only. The key secret never leaves the server.
3. Admin routes returning 200
You ask the AI to "add an admin dashboard." It builds /admin and /api/admin/*. But it forgets to add the auth check.
Anyone who guesses the URL gets full admin access.
Fix: Add middleware.ts at your project root that checks for a valid session on every /admin and /api/admin/* request. Return 401 or redirect to login.
4. OpenAI keys leaking through chat endpoints
The app has an AI chat feature. The endpoint at /api/chat works. There's no rate limiting. A single user with a script can send 10,000 requests per minute and burn through your API credits in an hour.
Even worse: sometimes the OpenAI key ends up in the client bundle directly.
Fix: Server-side calls only. Add Upstash or in-memory rate limiting (10 requests/minute per IP). Set max_tokens on every API call.
5. Webhook handlers without signature verification
Razorpay sends webhooks when payments complete. Your handler reads the event and unlocks paid features for the user. But if you never verify the webhook signature, anyone can send fake webhook events to your endpoint and get free access.
Fix: Razorpay.validateWebhookSignature(body, sig, process.env.RAZORPAY_WEBHOOK_SECRET) at the top of every webhook handler. If it throws, return 400.
The fix is fast
That's why I built Vezraa. One scan, 30 seconds, and you know exactly what's wrong. The fix prompts are designed to paste directly into Cursor or Claude Code — they reference your specific tech stack and give exact file paths.
From scan complete to all critical issues fixed: usually under 15 minutes.
Scan your app in 30 seconds.
Start Scanning →Related articles
- Supabase RLS Security: Fix Row Level Security
- OpenAI API Key Exposed: Find & Rotate It Fast
- Next.js Security Headers: 2026 Checklist
- npm Supply Chain Attacks: AI Tools & Security
- Vibe Coding Security Audit: 2026 Checklist
- OWASP LLM Top 10 for Developers (2026)
- GDPR Compliance Checklist for SaaS Apps (2026)
- Web App Security Audit Checklist (2026)