While Bolt.host and Vercel AI apps frequently showed hardcoded keys and insecure defaults, Lovable stood out for better security due to server-side routing by default.

IDOR vulnerabilities were found in two Replit apps, where health records and bookings could be accessed by guessing IDs due to missing authorization checks.

A survey of vibe-coded apps uncovers common vulnerabilities: hardcoded API keys in frontend code, missing authentication checks on routes, broken input validation, exposed Supabase configurations, and no rate limiting, all exploitable by attackers.

A security study across 1,764 vibe-coded apps found 453 with critical vulnerabilities, with notable issues expanding beyond Supabase Row Level Security and including exposed keys and insecure configurations.

A pattern emerges: AI code generators tend to optimize for functionality over security, often omitting authentication middleware prompts in generated code.

The editorial call to action is clear: ship fast and ship securely, with scanning as a preventive measure, and an invitation for reader questions in the comments.

Some apps left entire APIs exposed with zero authentication, including OpenAPI specs that show empty security schemes, granting unrestricted access to endpoints.

A security scanner (securityscanner.dev) offers a quick 10-second scan and a 70-module full report at securityscanner.dev/reports/2026-q2, inviting developers to test their apps.

Recommended pre-release security steps include auditing environment variables, enforcing route authentication, enabling and testing Supabase Row Level Security, server-side input validation, and rate limiting on authentication endpoints.

Public exposure of API keys was widespread, with dozens of apps across Bolt.host and Vercel containing hardcoded or exposed keys, risking misuse of API credits.

CodeSafe, a multi-agent security scanner for vibe-coded apps, analyzes authentication/authorization, secrets, injections, access control, misconfigurations, and dependencies, and provides copyable fix prompts.

Additionally, a security-focused tool highlights actionable steps to address vulnerabilities through prompt-driven fixes.