← Back to blog
VIBE CODING

You Vibe-Coded Your App. Did You Vibe-Test Its Security?

by Birol · April 13, 2026 · 5 min read

You described it. AI built it. You deployed it. But nobody asked: is it secure?

People are signing up. They're entering emails, passwords, payment info. And you've never tested whether any of that is actually protected. Here's a 5-minute test.

Nobody taught you this. Security isn't part of the vibe coding loop. Cursor doesn't add security headers. Lovable doesn't enable RLS by default. Bolt doesn't set up rate limiting. Claude Code leaves test keys in source files. v0 ships unauthenticated API routes. The tools optimize for "does it work," not "is it safe."

So let me introduce vibe testing — a 5-minute security check you run after every deploy. Five steps, all manual, all free. Takes less time than the coffee break you took while your app was building.

Step 1: Check Your JS Bundle for Secrets

Open your deployed app in Chrome. Press F12 to open DevTools. Go to the Sources tab. Press Ctrl+Shift+F to search across all files. Search for these strings one at a time:

sk_live_          — Stripe secret key (can charge your customers)
sk_test_          — Stripe test key (still exposes account info)
sk-               — OpenAI API key (racks up your bill)
AKIA              — AWS access key (can spin up resources)
-----BEGIN        — Private key (full access to whatever it unlocks)
postgres://       — Database connection string (direct DB access)
service_role      — Supabase service role key (bypasses all RLS)

If you find any of these, that key is compromised. Move it server-side and rotate it immediately. This is the single most common vulnerability in vibe-coded apps. Cursor key leak guide

Step 2: Hit Your API Routes Without Auth

Open a terminal and try to access your API endpoints with no authentication token. You're looking for routes that return data when they should return 401.

# Replace with your actual API routes
curl https://yourapp.com/api/users
curl https://yourapp.com/api/settings
curl https://yourapp.com/api/admin
curl https://yourapp.com/api/data

# Good response: {"error":"Unauthorized"} with status 401
# Bad response: actual data (user list, settings, anything)

Check every API route your app has. If you aren't sure what routes exist, look at your source code for files under /api/ or /app/api/.

Don't want to do this manually? vibeAudit runs all 5 checks (plus 30 more) in 30 seconds. Free, no signup.

Step 3: Check Database Permissions

If you use Supabase, run this query in the SQL Editor to check if RLS is enabled on all your tables:

-- Supabase: check RLS status on all tables
SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public';
-- Every row should show rowsecurity = true

-- Firebase: check your rules in the console, or test directly:
curl https://YOUR-PROJECT.firebaseio.com/.json
-- If this returns data, your database is wide open

Any table with rowsecurity = false is readable by anyone with your anon key. And your anon key is in your JavaScript bundle. Fix it before you do anything else. Full RLS guide

Step 4: Look at Your Response Headers

Security headers tell browsers how to protect your users. Without them, XSS attacks are easier, clickjacking works, and your site can be embedded in malicious iframes.

# Check what headers your app returns
curl -I https://yourapp.com

# Look for these headers in the response:
# Content-Security-Policy    — controls what scripts can run
# X-Content-Type-Options     — should be "nosniff"
# X-Frame-Options            — should be "DENY" or "SAMEORIGIN"
# Strict-Transport-Security  — forces HTTPS

# If any are missing, add them in your middleware or next.config.js

Missing all four? That's normal for vibe-coded apps. But it needs to be fixed. Each missing header is an attack vector. Full security checklist

Step 5: Test for Basic XSS

Find every input field in your app — search bars, comment boxes, profile forms, anything that accepts text. Type this into each one:

<script>alert(1)</script>


<img src=x onerror=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)

If an alert box pops up, your app has a cross-site scripting vulnerability. An attacker can use this to steal session tokens, redirect users to phishing pages, or modify what your app displays. The fix depends on your framework, but the short version: sanitize all user input and escape HTML output.

Or Skip the Manual Work

That's five checks. Five minutes if you're fast, maybe ten if you're thorough. But you have to remember to do it after every deploy. And there are at least 30 more checks you aren't running — CORS misconfigurations, open redirects, exposed .env files, SQL injection, insecure cookies.

vibeAudit runs all 5 of these checks plus 30 more. In 30 seconds. Free. No signup. Paste your URL and get a security score with specific findings and fix instructions.

FAQ

Q: What is vibe testing?

Vibe testing is a 5-minute security check you run after every deploy of a vibe-coded app. It covers the most common vulnerabilities AI tools introduce.

Q: Can I test my app's security without tools?

Yes. The 5 checks in this guide use only your browser DevTools and terminal. But automated scanners catch 30+ additional issues.

People are entering passwords into your app right now. Do you know if it's safe? Paste your URL into vibeAudit — five checks plus 30 more, 30 seconds, free. Read-only scan, your app is never modified.

Is your app vulnerable?

Scan your app for free — read-only, no signup, ~30 seconds. vibeAudit runs the tests this post describes.

Scan your app free