Last summer I started messing around with Cursor, Bolt, Lovable - the usual suspects. Built a few small projects. Shipped fast. Felt great.
Then my day job brain kicked in. I'm a security engineer. So I started poking at my own apps.
Not great.
Then I started looking at other vibe-coded apps. Worse.
The same issues kept showing up:
Missing Supabase RLS policies - This one's everywhere. Your database is basically public. Anyone with the Supabase URL can read/write whatever they want.
Weak or missing HTTP security headers - No CSP, no X-Frame-Options, nothing. Low-hanging fruit for attackers.
No rate limiting - Your login page will happily accept 10,000 password attempts per second.
Weak password policies - "password123" is perfectly acceptable.
AI tools are incredible at building features fast. They're not great at thinking about who might try to break those features.
So I built a scanner specifically for this.
It's an external scan - just paste your URL and it runs. The core scan takes about 5 minutes and is free. Full results are $5.
I optimized it for the specific patterns and mistakes AI-generated code tends to make. It's not a generic "enterprise security audit" - it's built for people who shipped something with Bolt last weekend and want to know if it's leaking data.
Would love feedback from this community. What security stuff are you worried about with your vibe-coded projects? What would you want a tool like this to check for?
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.