Skip to content

Vibe Coding Security Audit: Cursor, Lovable & Bolt Apps

A Wired investigation found 5,000+ vibe-coded apps with no authentication or security of any kind. Here's the checklist to make sure yours isn't one of them.

Why vibe-coded apps have a security problem

AI coding tools like Cursor, Lovable, Bolt, v0, and Replit are extraordinary at building features quickly. You describe what you want, and working code appears. The problem is that "working" and "secure" are different things.

A 2026 benchmark of 1,500+ AI-built apps found that 81% shipped with at least one critical or high-severity security issue. The most common findings:

  • Supabase tables with RLS disabled (anyone can read your database)
  • API keys in client-side JavaScript bundles
  • Admin routes with no authentication
  • Razorpay webhooks without signature verification
  • No rate limiting on AI/LLM endpoints
  • Missing security headers (CSP, HSTS, X-Frame-Options)

None of these are hard to fix. They just require knowing they exist.

The security audit checklist

✅ Authentication & Authorization

  • Every /api/* route that returns user data checks for a valid session
  • /admin and /api/admin/* routes are protected by middleware
  • User A cannot access User B's data by changing an ID in the URL (IDOR check)
  • Password reset flows use time-limited, single-use tokens

✅ Database Security

  • All Supabase tables have RLS enabled with explicit policies
  • No USING (true) policies that allow unrestricted access
  • Database credentials are not in client-side code
  • Direct database connections use connection pooling with limited permissions

✅ Secrets & Environment Variables

  • No sk_live_, sk_test_, or OPENAI_API_KEY in client bundles
  • Only NEXT_PUBLIC_ prefixed variables are in client-side code
  • .env is in .gitignore and not committed to git
  • Production uses different keys than development

✅ Payment Security

  • Razorpay webhook handlers verify the Razorpay-Signature header
  • Webhook handlers are idempotent (safe to call multiple times)
  • Price IDs come from environment variables, not user input
  • Production uses live keys, not test keys

✅ AI/LLM Security

  • Rate limiting on all AI endpoints (per user, per IP)
  • max_tokens set on every API call to prevent runaway costs
  • User input is not directly concatenated into system prompts (prompt injection)
  • AI responses are not rendered as raw HTML (XSS via LLM output)

✅ HTTP Security Headers

  • Content-Security-Policy header present
  • Strict-Transport-Security (HSTS) enabled
  • X-Frame-Options set to SAMEORIGIN or DENY
  • X-Content-Type-Options: nosniff

✅ Supply Chain

  • No typosquatted packages (axois, lodahs, expres)
  • No packages that AI invented that don't exist on npm
  • Dependencies are up to date with no known CVEs
  • No packages with suspicious install scripts

How to run this audit automatically

Vezraa gives you your Vibe Score, severity counts, and every finding with evidence, plus paste-ready fix prompts for Cursor or Claude Code.

Run the full security audit on your app in 30 seconds.

Start Scanning →

Related articles

Vibe Coding Security Audit: 2026 Checklist | Vezraa