Is Figma Make Safe? Security Risks and the Checklist Before You Ship
Is Figma Make safe? The tool is fine — the risk is the code AI generates. See the real risks in Figma Make apps and the checklist to run before you ship.
You built something with Figma Make, the newer AI app builder, and now there's a question you can't shake before you launch: is Figma Make safe to ship from? Maybe you read that AI-built apps tend to leak data. Maybe this is your first real product and you're being careful. You're not a security engineer — you want to know whether the app you're about to release will keep your users' data where it belongs.
Let's be honest and fair up front. Figma Make is relatively new, and public incident data on it is limited — there's no specific security event in the record we work from, and we won't invent one. The risks that actually matter aren't about Figma Make as a tool. They're the shared risks of all AI-generated apps: AI is great at making software that works and weaker at making it secure by default.
This post covers those shared risks, what the research found about AI codegen as a category, and a concrete checklist to run before you ship your Figma Make app.
⚡ TL;DR
- Figma Make is safe to use — it's a newer AI app builder, public incident data is limited, and there's no specific event to point to. The risks are the shared classes for all AI-generated apps.
- Research across the field is consistent: a large share of AI-generated code ships with a security gap, and even the strongest AI agent tested passed only about 10.5% of security checks.
- The risks to check are the usual ones — data exposure if a database is wired up, secret keys in the frontend, and missing security headers — all findable before launch.
Is Figma Make safe? The short answer
Figma Make is an AI app builder, and using it does not make your app insecure. The honest framing: the risk lives in the code that gets generated, not in the tool that generates it.
It's the same story for every AI builder. The tool optimizes for the goal you give it, and that goal is almost always "make this work." An app where every user can read every record works perfectly in a preview. A page that ships without protective headers works in a preview. The security gap is invisible there — it shows up only when someone tests the parts of your app you never clicked.
So "is Figma Make safe" is really "is the app Figma Make built safe to expose to the public." Because there's no Figma Make-specific incident to study, the most useful thing we can do is walk you through the category risks — the ones research has documented across the whole field — and how to check each one in your app.
What the research says about AI-generated apps
With no Figma Make-specific event to learn from, here's the category evidence. Read it as evidence about AI codegen broadly, not about Figma Make specifically.
Nearly half of AI-generated code fails a security test. Veracode's 2025 analysis covered over 100 models across 80 coding tasks and found 45% of generated code samples failed security tests or introduced an OWASP Top 10 vulnerability. Veracode's blunt summary: these models "make the wrong choices nearly half the time, and it's not improving." (Full breakdown: 45% of AI-generated code ships with a vulnerability.)
Even the strongest tested agent shipped insecure code most of the time. Carnegie Mellon's SusVibes benchmark scored AI coding agents on both functionality and security. The best combination tested reached 61% functional pass but only a 10.5% security pass — meaning over 80% of solutions that worked still carried a vulnerability. The lesson isn't "this agent is weak." It was the strongest combination tested, and it still shipped insecure code. "It works" and "it's secure" are different bars, and AI clears the first far more reliably than the second.
None of this is a reason to avoid Figma Make. It's a reason to check the output — because the gaps are predictable, and predictable means you know where to look.
The real risks when you build with Figma Make
Here are the specific gaps to check in a Figma Make app. None are unique to Figma Make; all are the documented failure modes of AI-generated apps.
Data exposure if a database is wired up. If your app stores user data, the key question is whether each user can only see their own rows. The control is RLS (Row Level Security): a rule the database applies to every query so it returns only the rows a given user is allowed to see. AI tends to connect the database so the feature works and skip the policies that restrict access. A table with RLS off, or a policy set to "allow everyone," returns every record to anyone. This is the most common way AI-built apps leak. If your Figma Make app doesn't store user data at all, this risk is smaller — but confirm it rather than assume. (Deep dive: Supabase security for AI-built apps, and the broader pattern in the 7 gaps in every AI-built app.)
Secret keys in the frontend. If your app calls a paid service — an AI model, email, payments — those calls use keys. Some keys are public by design and meant to ship in the browser. Others are secret and must stay on the server. AI sometimes pastes a secret key into frontend code to make a call work. A secret key in your shipped JavaScript can be extracted by anyone and used to run up your bill. Know which is which: exposed secrets and API keys in frontend code.
Missing security headers. Across the field, AI-generated apps tend to ship without standard security response headers — short instructions your server sends to harden the browser against common attacks. They're not added by default, they're a quiet risk (invisible until exploited), and they're addable. A free headers checker against your live URL tells you in seconds whether yours are present.
How to check your Figma Make app
You can catch most of these yourself before launch. An afternoon is enough.
- Test as a second user. If your app has accounts, create two. As user A, note a record's ID. As user B, try to open it directly. If it loads, your access rules aren't restricting rows.
- Search your shipped code for secret keys. Open your live app, open browser developer tools, and look through the Sources and Network tabs for prefixes like
sk_or the wordsecretnear a service name. A secret key in the frontend is an emergency; a publishable one is usually fine. - Run a security-headers check. Use any free headers checker, or your browser's Network tab, against your live URL. Missing protective headers are worth fixing.
- Confirm what data is actually exposed. Watch the network requests your app makes. If you can alter a request and pull back data that isn't yours, your access rules aren't holding.
Not sure if your Figma Make app has this exact issue?
Run a free, read-only scan of your live app — no install, results in under a minute.
Scan my app free →The pre-ship checklist for Figma Make
Run this before real users — or real data — touch your app.
- Data access is restricted. If a database is connected, every table of user data enforces "users see only their own rows," not "allow everyone."
- No secret keys in the frontend. Shipped JavaScript contains no
sk_-style or otherwise secret keys. - Second-user test passes. If the app has accounts, a second user cannot read or change the first user's data by altering an ID.
- Security headers are present on your live URL.
- Exposed data confirmed. You've replayed at least one altered request and confirmed it returns nothing it shouldn't.
- Re-checked after every change. Each new feature gets these checks again, because new code can open new holes.
FAQ
Is Figma Make safe to use for a real product?
Yes. Figma Make is a newer AI app builder, and while public incident data on it is limited, that's not a red flag — the realistic risks are the shared classes affecting all AI-generated apps: data exposure, exposed secrets, and missing security headers. Build with it, then check the output against the checklist above before launch.
Has Figma Make had a security breach?
There's no specific security incident for Figma Make in the record we rely on, and we won't claim one that doesn't exist. The documented risks are about AI codegen as a category — research found roughly 45% of AI-generated code fails a security test, and even the strongest agent tested passed only about 10.5% of security checks. That's why you check your own app regardless of which tool built it.
Does Figma Make secure my app's data automatically?
Not necessarily. If your app stores user data, the access rules that decide who can read what are generated to your prompts and are yours to verify. The most reliable check is testing as a second user and confirming you can't reach the first user's data. Don't assume it's handled — confirm it.
The bottom line
Figma Make is safe to use, and the limited public incident data isn't a warning sign — it's a newer tool. The real risks are the shared ones for every AI-built app: data exposure if a database is connected, secret keys in the frontend, and missing security headers. An attacker can find those gaps in minutes by testing the parts of your app you never clicked. Find them first, and keep checking, because your AI ships new code (and new holes) on every deploy.
Find your gaps before an attacker does.
Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.
Run a free scan →