I've been building VibeSafe β a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.
I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.
The results are worse than I expected.
Executive Summary
5 out of 5 apps had security issues. Zero had a Content Security Policy. 33 total findings.
| Severity | Count |
|---|---|
| π΄ CRITICAL | 6 |
| π HIGH | 9 |
| π‘ MEDIUM | 18 |
| TOTAL | 33 |
1. NewMom.help β Bolt + Supabase
Built by a non-technical founder. Maternal health platform. 1M+ impressions at launch.
π΄ CRITICAL β VibeSafe verdict: "Your app is leaking data"
| Category | Status | Detail |
|---|---|---|
| π΄ Exposed Files | FAIL |
.env and .env.local publicly accessible β anyone can grab credentials |
| π΄ Source Control | FAIL |
/.git/ exposed β full repo history downloadable |
| π CSP Header | FAIL | Content-Security-Policy missing β zero XSS protection |
| π HSTS Header | FAIL | Strict-Transport-Security missing β SSL downgrade possible |
| π‘ X-Frame-Options | FAIL | Missing β clickjacking vulnerability |
| π‘ X-Content-Type-Options | FAIL | Missing β MIME-sniffing attacks possible |
| π‘ Referrer-Policy | FAIL | Missing β referrer leakage |
| π‘ Auth Rate Limiting | WARN |
/api/auth/login detected β no rate limiting |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
2. Disko.is β Replit + React
SMS loyalty platform with member data. Built by a solo founder in Iceland.
π΄ CRITICAL β Same pattern as NewMom
| Category | Status | Detail |
|---|---|---|
| π΄ Exposed Files | FAIL |
.env and .env.local publicly accessible |
| π΄ Source Control | FAIL |
/.git/ exposed β full repo downloadable |
| π CSP Header | FAIL | Content-Security-Policy missing |
| π HSTS Header | FAIL | Strict-Transport-Security missing |
| π‘ X-Frame-Options | FAIL | Missing β clickjackable |
| π‘ X-Content-Type-Options | FAIL | Missing |
| π‘ Referrer-Policy | FAIL | Missing |
| π‘ Auth Rate Limiting | WARN | Auth endpoint without protection |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
3. AltCloud.dev β Lovable + Bolt + Supabase
Built by an experienced CTO. SaaS platform.
π΄ CRITICAL β Git history and server internals exposed
| Category | Status | Detail |
|---|---|---|
| π΄ Source Control | FAIL |
/.git/ exposed β full repo leaked |
| π CSP Header | FAIL | Content-Security-Policy missing |
| π Server Internals | FAIL |
__pycache__/ directory exposed publicly |
| π‘ X-Frame-Options | FAIL | Missing β clickjackable |
| π‘ Auth Rate Limiting | WARN | Auth endpoint without rate limiting |
Notable: This was the only app that handled environment variables properly in source code β no committed .env files. But the live site was leaking git history and Python cache directories.
7 issues found (2 critical, 2 high, 2 medium, 1 low)
4. SleepingBaby.info β Cursor + Next.js + MongoDB
Parenting app by a solo developer. Entire app built in 450 tokens.
π HIGH RISK β Best of the bunch, but still gaps
| Category | Status | Detail |
|---|---|---|
| β SSL/TLS | PASS | Valid certificate |
| β .env Files | PASS | No exposed environment files |
| β .git Directory | PASS | Not exposed |
| π CSP Header | FAIL | Content-Security-Policy missing β zero XSS protection |
| π‘ X-Frame-Options | FAIL | Missing β clickjackable |
| π‘ X-Content-Type-Options | FAIL | Missing β MIME-sniffing risk |
| π‘ Auth Rate Limiting | FAIL |
/api/auth/signin β no rate limiting, brute-force possible |
6 issues found (0 critical, 1 high, 3 medium, 2 low)
5. RemedyHunt.com β Bolt + Supabase + Netlify
Live product on Netlify. Built by a non-technical founder.
π΄ CRITICAL β SSL certificate invalid, browser blocks the site
| Category | Status | Detail |
|---|---|---|
| π΄ SSL/TLS | FAIL | Certificate is INVALID β certificate verify failed. Browsers show a security warning |
| π‘ Accessibility | FAIL | Could not check headers β no valid HTTPS connection |
2 issues found (1 critical, 0 high, 1 medium)
The Common Thread
| Issue | Apps Affected |
|---|---|
| β No Content Security Policy (XSS protection) | 5/5 β 100% |
| β No X-Frame-Options (clickjacking) | 5/5 β 100% |
| β No X-Content-Type-Options (MIME sniffing) | 4/5 β 80% |
| β No Referrer-Policy (referrer leakage) | 4/5 β 80% |
| β Auth endpoint without rate limiting | 4/5 β 80% |
| β No or weak HSTS (SSL downgrade) | 3/5 β 60% |
β .env or .git/ exposed publicly |
3/5 β 60% |
| β No valid SSL certificate | 1/5 β 20% |
The Good News
Not all vibe-coded apps are insecure. The source code scan found some bright spots:
| Project | Stack | Issues | Notes |
|---|---|---|---|
| Obertura | Vite + TypeScript (chess app) | 0 | β Clean scan. Earned the trust badge |
| Autobot | Node.js CLI + Playwright | 0 | β Clean scan |
| Interior Planner | Next.js + Drizzle + Vercel Blob | 10 | Had proper auth system, env vars, .env.example. Issues were missing route auth β fixable in an afternoon |
Some builders do think about security. But the majority ship fast and find out later.
The Fix
| Problem | Fix | Time |
|---|---|---|
| No CSP | Content-Security-Policy: default-src 'self' |
1 minute |
| No X-Frame-Options | X-Frame-Options: DENY |
1 minute |
| No HSTS | Strict-Transport-Security: max-age=31536000 |
1 minute |
| Exposed .env | Add .env to .gitignore, block at host level |
1 minute |
| Exposed .git | Block /.git/ in hosting config |
1 minute |
| No rate limiting | Add middleware (express-rate-limit, @upstash/ratelimit) | 10 minutes |
That's 15 minutes of work to fix 90% of what we found.
Why This Matters
These aren't weekend experiments. They're live products with real users:
- A maternal health platform with actual mothers depending on it
- An SMS loyalty club with member data
- A parenting app with user accounts
- A SaaS platform
- A production app on Netlify
They're all clickjackable. All have zero XSS protection. Three are leaking credentials to the public internet right now.
Scanned with VibeSafe v1.0. 16 checks: SSL/TLS, security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy), exposed files (.env, .git), CORS, JS bundle secrets, rate limiting. Source code: Trufflehog secrets, Semgrep static analysis, Supabase RLS, Firebase rules, hardcoded credentials, missing auth, Stripe webhook verification, SQL injection.
