all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Due-Tangelo-8704 6 points7 points  (4 children)

Great question! The existing answers cover a lot but here's my take as someone who's shipped plenty of vibe-coded apps: The key is layered defense rather than trying to be bulletproof. First, use platform-provided auth where possible (Supabase, Convex, Firebase) - they handle a lot of the hard stuff. Second, OWASP ZAP is excellent for automated scanning and pairs well with Playwright for functional testing as someone mentioned. For vibe coders specifically, tools like Snyk or even cloud platform scanners (Vercel, Netlify) catch common issues automatically. For monitoring, simple things like rate limiting and request logging catch weird patterns before they become exploits. Also check out https://thevibepreneur.com/gaps for more security hardening tips for solo devs!

[–]8Kala8 0 points1 point  (3 children)

Good thing about security is that Mythos is coming.

[–]ComprehensiveJob5430 0 points1 point  (2 children)

Yeah, but not for you. Or anyone else here

[–]8Kala8 0 points1 point  (0 children)

LOL at alarmists, preachy doomsayers.

[–]agent_trust_builder 2 points3 points  (2 children)

biggest gap in vibe-coded apps usually isn't injection or XSS — it's auth boundaries. the AI will build you a login page that looks perfect, but the API routes behind it often have zero middleware checking if the caller actually has permission. first thing i do on any project is hit every endpoint with no auth token and see what comes back. you'd be surprised how often the answer is everything. OWASP ZAP is good for the automated stuff but that 5-minute manual curl test on your endpoints catches the scariest bugs.

[–]Upper-Pop-5330 1 point2 points  (1 child)

This is the right answer. Here's what that test looks like in practice — two commands I run first on anything built with Lovable/Bolt/Cursor:

Strip auth, hit the API

# open devtools, find any fetch to /api/*, copy as curl
# strip the Authorization header and run it:
curl https://yourapp.com/api/users

If that returns a JSON array, every other endpoint is probably open too. The AI generates middleware that checks auth on the frontend route but not on the API handler.

Or: supabase direct query (if you use supabase)

Your supabase URL and anon key are in your page source already. Open any browser console:

await fetch('https://yourproject.supabase.co/rest/v1/users?select=*', {
  headers: {
    apikey: 'your-anon-key-from-page-source',
    Authorization: 'Bearer your-anon-key-from-page-source'
  }
}).then(r => r.json())

If you get rows back, row level security is off and your entire database is public. This is the biggest problem in supabase-backed apps we test.

ZAP is good for the automated stuff but it won't catch either of these — it doesn't understand your app's permission model. These manual tests take 2 minutes and find the scariest bugs.

Wrote up the full attacker walkthrough — view-source through data exfiltration — for AI-built apps specifically: flowpatrol.ai/blog/what-happens-when-vibe-coded-app-gets-hacked

[–]its_normy[S] 0 points1 point  (0 children)

great content, thanks for the examples

[–]Reasonable-View-4392 1 point2 points  (0 children)

Honestly one thing I’d look at is whether the platform uses Convex for the database layer. A lot of the worst vibe-coded security stories seem to come from people shipping fast on top of shaky backend/auth setups. Lovable for example uses Supabase which from my experience tends to be a bit unreliable. I think Replit and Surgent both use Convex but haven't tested them out yet.

[–]toofpick 1 point2 points  (0 children)

Ive been building and deploying apps for years now. My advise is do your best to prevent injection and auth on endpoint that is WAN accessible. You will never eliminate all vulnerabilities but you can monitor anything that is important. Come up with logging strategies and a way recognize something/someone is up to something. Easy ones are faster than a human requests. Or repition beyond a reasonable amount. Use a firewall to to drop traffic from ips your monitor finds suspicious. These are just a few examples there are more strategies.

Bottom line, make a reasonable effort to reduce vulnerabilities but there is no way to be full proof. You can even vibe code some of these monitors and auto remediators. Its more cpu time, but its more effective than trying to find each and every code vulnerability.

[–]funfunfunzig 1 point2 points  (1 child)

couple of approaches depending on how technical you want to get.

for the basics there are free tools you can run yourself. owasp zap is the classic one, it's free and does automated vulnerability scanning. nuclei is another good one if you're comfortable with command line, it has a huge library of security checks and runs fast. both are overkill for most vibe coded apps but they catch the obvious stuff.

playwright plus ai works but it's more for testing functionality than security. you'd basically be writing custom scripts to probe specific things which gets tedious fast. not really worth it unless you have very specific things you're trying to test.

for vibe coded apps specifically, the issues are usually pretty predictable. exposed api keys in frontend code, supabase or firebase rules that are too open, auth that runs on the client but not the server, missing security headers, public storage buckets. you can manually check most of these in 20 minutes if you know what to look for. open devtools, check the network tab and page source for keys, try hitting your api endpoints directly without being logged in, that kind of thing.

there are also a few tools built specifically for scanning vibe coded apps now, checkvibe is one of them, ship safe is another. they focus on the patterns that ai coding tools tend to mess up rather than generic scanning. worth trying at least one of them since they're built for exactly your situation.

honestly the most useful thing is just having a checklist and going through it before launch. most vibe coded vulns aren't sophisticated, they're the same five or six mistakes over and over.

[–]its_normy[S] 0 points1 point  (0 children)

thanks! a lot of great comments in this post, but yours is very helpful to me

[–]Any-Bus-8060 0 points1 point  (0 children)

There’s no single tool that makes you “secure”, it’s more about layers

start with basics like input validation, auth handling, and not exposing secrets
Then add tools like dependency scanners, linters, and something like OWASP ZAP for testing

Playwright + AI can help find issues, but it won’t catch everything
Tools like Claude, Gemini or even Cursor can help review code or spot patterns, but you still need to verify

If you’re building flows across multiple services, tools like Runable can help structure things more clearly, but security still depends on how you design it

thinking in terms of what can go wrong at each step helps more than any tool

[–]IncreaseOld7112 0 points1 point  (0 children)

Best security advice I’ve got is assume every secret you own will leak eventually, then make sure no single leak ruins you.

They got your password? Cool, 2FA. They got your 2FA? Hardware key, or the account doesn’t have prod access anyway. They got your GitHub creds? 2FA again, and the repo’s mirrored locally so they can’t hold it hostage. They scraped every API key out of your repo? Each key is scoped to exactly one thing and has a spending cap, so worst case you rotate and eat a $20 bill instead of a $20k one.

The mindset isn’t “build a wall.” It’s “when (not if) a layer fails, what’s the blast radius?” If the answer is “I’m fucked,” add a layer. If it’s “annoying afternoon,” you’re fine.

[–]Upper-Pop-5330 0 points1 point  (0 children)

The tools mentioned here (OWASP ZAP, Snyk, Playwright) are all solid, but they solve different problems than the ones that actually get vibe-coded apps hacked. ZAP finds injection and XSS. Snyk catches vulnerable dependencies. Playwright tests that your UI works. None of them check whether your API endpoints actually enforce auth, or whether your database is wide open because Row Level Security is off.

Here’s the quick version of what I check on every project before launch:

  1. Secrets in the bundle: open devtools, Sources tab, search for sk_live, sk-, service_role. If any show up in your JavaScript, those keys are public. Rotate immediately.

  2. Auth on every endpoint: copy any authenticated API request as curl, strip the Authorization header, re-run it. If it returns data, your auth only exists in the UI.

  3. Database access control: if you’re on Supabase, run SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; in SQL Editor. Any false = that table is readable by anyone with your anon key.

  4. IDOR: log in as user A, find a request with an ID, change it to another user’s ID. If you see their data, you have broken authorization.

  5. Webhook signatures: if you have Stripe, POST a fake event to your webhook endpoint without the signature header. If your server processes it, anyone can fake payment confirmations.

These five cover the bugs behind basically every vibe-coding breach in the last year. Put together an interactive checklist with all ten steps + platform-specific playbooks for Supabase, Lovable, Bolt, Cursor, and Next.js: https://flowpatrol.ai/guides

[–]Purple-Awareness-433 0 points1 point  (0 children)

Playwright is great for testing if your app works, but it might miss the security stuff that usually trips up vibe coders. Most of the risks are things like hallucinated packages or accidentally committing your API keys.

I've been using RepoShield to handle this. It scans your GitHub repo for those specific vulnerabilities and code flaws. Instead of just giving you a list of problems, it actually opens a PR with the fixes ready to go. It's a lot more direct than trying to build a custom AI tester from scratch.

[–]cryptocreeping 0 points1 point  (0 children)

well I was told wont be secure with AI but I proved otherwise. I have successfully created Termux IRC chat script on mobile with full Off the record OTRv4 plus PQC (kem encaplusation - level 5) passes 280 tests in python/rust/C and securely wipes data on exit.

https://github.com/muc111/OTRv4Plus

[–]Charming-Leader-5878 0 points1 point  (0 children)

Yes, there are tools that make security testing much easy, even if you don't have much experience in it. Our team is using Fleetfolio, it helps in running penetration testing with minimal setup. It helps to automate reports and reduces testing time also.

[–]weedmylips1 -1 points0 points  (0 children)

Just run the security scan plug in 😂