Is My Site Hackable?
The vibe-coding security blog
Plain-English security guides for apps built with Lovable, Bolt, Cursor, v0, and Replit — RLS, exposed API keys, Firebase rules, and the real breaches, without the false alarms. We don't cry wolf: your Supabase anon key and Firebase config are public by design — we focus on what actually leaks.
Supabase Security
View all →Supabase is the default backend for most vibe-coded apps, so its security is the whole game. RLS, the anon vs service_role keys, storage buckets — what actually leaks, and what only looks scary.
Supabase Security for AI-Built Apps: The Complete Guide
A plain-English guide to Supabase security for AI-built apps. Learn the real risks — RLS, service keys, storage buckets — and how to check your own app today.
CVE-2025-48757 Explained: How 170 Apps Leaked Through One Missing Policy
CVE-2025-48757 explained for non-developers: how 170 Lovable-built apps leaked real data through missing Supabase RLS — and how to check if yours did too.
Is My Supabase Exposed? Check It in 5 Minutes
Worried your Supabase data is exposed? Run this 5-minute self-audit: check RLS on every table, query your endpoints as a stranger, and spot USING(true) policies.
service_role vs anon Key: Which One Actually Ends Your Company
service_role vs anon key in Supabase: the anon key is safe in the browser, but a leaked service_role key bypasses all RLS. How to tell them apart and what to do.
Supabase RLS Explained: It's a WHERE Clause on Every Query
Supabase RLS in plain English: it's a WHERE clause your database adds to every query. Learn how Row Level Security works, why AI tools skip it, and how to check yours.
Supabase Storage Buckets: The Public-by-Default Mistake
Supabase storage security in plain English: how public buckets expose user photos, IDs, and receipts, how storage RLS works, and how to check your buckets.
Testing RLS the Right Way: anon, owner, and other-user
Learn how to test Supabase RLS for real using three personas — anon, owner, and other-user — with copy-paste curl and supabase-js examples. See a pass vs a leak.
The USING(true) Trap: RLS That Passes the Scan but Leaks Everything
One of the worst Supabase RLS mistakes: a USING(true) policy looks enabled but leaks every row. Learn why AI tools generate it and how to rewrite it safely.
Vibe Coding Security
View all →The big picture: why AI builders optimize for “it works” over “it’s secure,” what the research and the breaches show, and the checklist to ship without leaving the door open.
Vibe Coding Security: The Complete Guide
Vibe coding security, explained for non-developers. Why AI-built apps ship with leaks, the main risk classes, and how to check your own app in minutes.
45% of AI-Generated Code Ships With a Vulnerability: The Research
AI generated code security, by the numbers. Four studies — Veracode, Carnegie Mellon, Escape.tech, Tenzai — on how often AI code ships with a vulnerability.
DAST vs SAST for AI-Generated Apps (and Why Deployed-App Scanning Wins)
DAST vs SAST for AI-built apps: a security scanner for AI code should test the deployed app, not just read source. Here's why deployed-app scanning catches more.
Is Your Vibe-Coded App Leaking Data? The 7 Gaps in Every AI-Built App
Worried your vibe-coded app is leaking data? Here are the 7 security gaps that show up in nearly every AI-built app — and how to check each one yourself.
The Pre-Launch Security Checklist for Vibe-Coded Apps
A vibe coding security checklist for non-developers: the database, secrets, storage, auth, and header checks to run before you ship your AI-built app. Print and go.
The Vibe-Coding Breach Timeline: Enrichlead, Tea, Base44, Moltbook
A timeline of the biggest vibe coding breaches — Enrichlead, Tea, Base44, Moltbook. What happened, the real root cause, and the lesson behind each AI app breach.
Why AI Optimizes for 'It Works,' Not 'It's Secure'
Why is AI code insecure? Because models optimize for code that runs and demos well, not code that's safe. The mechanism behind AI code security problems, explained.
Exposed Secrets
View all →API keys in frontend code. Which ones are a real emergency (sk_live, service_role), which are public by design (pk_live, anon), and how to find, rotate, and stop leaking the dangerous ones.
Exposed Secrets and API Keys in Frontend Code: The Complete Guide
An exposed API key in your frontend isn't always an emergency. Learn which keys are public by design, which are real leaks, and how to find and rotate the dangerous ones.
A Key Just Leaked — Rotate, Audit, Monitor (in That Order)
A secret key leaked? Here's the incident runbook: confirm it's actually secret, rotate it, audit for abuse, then monitor — because keys re-leak on the next deploy.
An Exposed OpenAI or Anthropic Key Is Someone Else's Bill on Your Card
An exposed OpenAI or Anthropic API key means strangers run up your bill and can reach your data. Learn where these keys belong, how to check yours, and how to fix it.
Did I Leak My Stripe Key? pk_live vs sk_live Explained
Found your Stripe key in your frontend? Whether it's an emergency depends on one letter. Learn pk_live vs sk_live and exactly what to do if you leaked the secret one.
How Attackers Extract Secrets From JS Bundles
An API key in your JavaScript can be pulled in minutes with no special tools. See exactly how attackers find secrets in a JS bundle — and run the same check on yourself.
Your Source Maps Are Publishing Your Source Code
Source map exposure can republish your entire codebase — comments, logic, and secrets — to anyone. Learn how to find leaked source maps and disable them in production.
Firebase Security
View all →Your Firebase web config is public by design — that is not the leak. The real risks are permissive Security Rules and open storage buckets. Here’s how to tell yours apart and lock them down.
Firebase Security for AI-Built Apps: The Complete Guide
Firebase security rules in plain English for vibe-coded apps. Your API key is public by design — learn what's actually secret and how to secure Firebase.
Firebase Security Rules: 12 Mistakes AI Tools Make
The 12 Firebase Security Rules mistakes AI builders ship — from allow read, write: if true to leftover test-mode rules — each with a quick before/after fix.
Firebase vs Supabase: A Security Comparison
Firebase vs Supabase security, compared evenly. Both ship a public client key — the real risk is the rules layer. See how each protects you and how each leaks.
Open Storage Buckets: The #1 Firebase Leak
Firebase Storage security is where the worst leaks happen. Learn how open buckets exposed 72,000 IDs, how to write owner-scoped rules, and how to check yours.
The Tea App Breach: How a Firebase Bucket Exposed 72,000 IDs
The Tea app breach explained: an unsecured Firebase Storage bucket exposed ~72,000 images, including ID photos. The root cause and how to check your buckets.
Your Firebase Web Config Is Public by Design — Here's What to Actually Secure
Is your Firebase API key safe to expose? Yes — the web config is public by design. Here's what it does, why rotating it is pointless, and what to actually lock down.
Platform Guides
View all →Is your AI builder safe to ship with? A clear, per-platform security rundown — Lovable, Bolt, Cursor, v0, Replit, Base44, and more — with the real incident behind each and a pre-launch checklist.
Is Base44 Safe? Security Risks and the Checklist Before You Ship
Is Base44 safe? Yes — but a real auth-bypass flaw hit it in 2025. Learn the actual risks of Base44 apps and the checklist to run before you ship.
Is Bolt Safe? Security Risks and the Checklist Before You Ship
Is Bolt safe to ship a real app on? The builder is fine — its Supabase defaults can leak data. The RLS risks, exposed-key traps, and a pre-ship checklist.
Is Claude Code Safe? Security Risks and the Checklist Before You Ship
Is Claude Code safe? The tool is fine — the risk is the code AI ships. See the research, the real risks in Claude Code apps, and the checklist before you ship.
Is Cursor Safe? Security Risks and the Checklist Before You Ship
Is Cursor safe to ship a real app on? The editor is fine — the code it generates can ship vulnerable. The Enrichlead story, the SSRF research, and a checklist.
Is Figma Make Safe? Security Risks and the Checklist Before You Ship
Is Figma Make safe? The tool is fine — the risk is the code AI generates. See the real risks in Figma Make apps and the checklist to run before you ship.
Is Lovable Safe? Security Risks and the Checklist Before You Ship
Is Lovable safe to ship a real app on? Yes — but its Supabase defaults can leak data. The RLS risks, the CVE-2025-48757 facts, and a pre-ship checklist.
Is Replit Safe? Security Risks and the Checklist Before You Ship
Is Replit safe to ship a real app on? The platform is fine — its AI agents and Supabase defaults carry real risks. RLS, secrets, agent access, and a checklist.
Is v0 Safe? Security Risks and the Checklist Before You Ship
Is v0 safe to ship a real app on? The Vercel tool is fine — the Supabase backend it wires up can leak data. The RLS risks, exposed keys, and a checklist.
Is Windsurf Safe? Security Risks and the Checklist Before You Ship
Is Windsurf safe? The tool is fine — the risk is the code AI generates. See the real risks in Windsurf apps and the checklist to run before you ship.