This content originally appeared on DEV Community and was authored by kg8888
I've been building VibeSafe — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.
I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.
The results are worse than I expected.
Executive Summary
5 out of 5 apps had security issues. Zero had a Content Security Policy. 33 total findings.
| Severity | Count |
|---|---|
| 🔴 CRITICAL | 6 |
| 🟠 HIGH | 9 |
| 🟡 MEDIUM | 18 |
| TOTAL | 33 |
1. NewMom.help — Bolt + Supabase
Built by a non-technical founder. Maternal health platform. 1M+ impressions at launch.
🔴 CRITICAL — VibeSafe verdict: "Your app is leaking data"
| Category | Status | Detail |
|---|---|---|
| 🔴 Exposed Files | FAIL |
.env and .env.local publicly accessible — anyone can grab credentials |
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo history downloadable |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing — zero XSS protection |
| 🟠 HSTS Header | FAIL | Strict-Transport-Security missing — SSL downgrade possible |
| 🟡 X-Frame-Options | FAIL | Missing — clickjacking vulnerability |
| 🟡 X-Content-Type-Options | FAIL | Missing — MIME-sniffing attacks possible |
| 🟡 Referrer-Policy | FAIL | Missing — referrer leakage |
| 🟡 Auth Rate Limiting | WARN |
/api/auth/login detected — no rate limiting |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
2. Disko.is — Replit + React
SMS loyalty platform with member data. Built by a solo founder in Iceland.
🔴 CRITICAL — Same pattern as NewMom
| Category | Status | Detail |
|---|---|---|
| 🔴 Exposed Files | FAIL |
.env and .env.local publicly accessible |
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo downloadable |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing |
| 🟠 HSTS Header | FAIL | Strict-Transport-Security missing |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 X-Content-Type-Options | FAIL | Missing |
| 🟡 Referrer-Policy | FAIL | Missing |
| 🟡 Auth Rate Limiting | WARN | Auth endpoint without protection |
11 issues found (4 critical, 2 high, 3 medium, 2 low)
3. AltCloud.dev — Lovable + Bolt + Supabase
Built by an experienced CTO. SaaS platform.
🔴 CRITICAL — Git history and server internals exposed
| Category | Status | Detail |
|---|---|---|
| 🔴 Source Control | FAIL |
/.git/ exposed — full repo leaked |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing |
| 🟠 Server Internals | FAIL |
__pycache__/ directory exposed publicly |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 Auth Rate Limiting | WARN | Auth endpoint without rate limiting |
Notable: This was the only app that handled environment variables properly in source code — no committed .env files. But the live site was leaking git history and Python cache directories.
7 issues found (2 critical, 2 high, 2 medium, 1 low)
4. SleepingBaby.info — Cursor + Next.js + MongoDB
Parenting app by a solo developer. Entire app built in 450 tokens.
🟠 HIGH RISK — Best of the bunch, but still gaps
| Category | Status | Detail |
|---|---|---|
| ✅ SSL/TLS | PASS | Valid certificate |
| ✅ .env Files | PASS | No exposed environment files |
| ✅ .git Directory | PASS | Not exposed |
| 🟠 CSP Header | FAIL | Content-Security-Policy missing — zero XSS protection |
| 🟡 X-Frame-Options | FAIL | Missing — clickjackable |
| 🟡 X-Content-Type-Options | FAIL | Missing — MIME-sniffing risk |
| 🟡 Auth Rate Limiting | FAIL |
/api/auth/signin — no rate limiting, brute-force possible |
6 issues found (0 critical, 1 high, 3 medium, 2 low)
5. RemedyHunt.com — Bolt + Supabase + Netlify
Live product on Netlify. Built by a non-technical founder.
🔴 CRITICAL — SSL certificate invalid, browser blocks the site
| Category | Status | Detail |
|---|---|---|
| 🔴 SSL/TLS | FAIL | Certificate is INVALID — certificate verify failed. Browsers show a security warning |
| 🟡 Accessibility | FAIL | Could not check headers — no valid HTTPS connection |
2 issues found (1 critical, 0 high, 1 medium)
The Common Thread
| Issue | Apps Affected |
|---|---|
| ❌ No Content Security Policy (XSS protection) | 5/5 — 100% |
| ❌ No X-Frame-Options (clickjacking) | 5/5 — 100% |
| ❌ No X-Content-Type-Options (MIME sniffing) | 4/5 — 80% |
| ❌ No Referrer-Policy (referrer leakage) | 4/5 — 80% |
| ❌ Auth endpoint without rate limiting | 4/5 — 80% |
| ❌ No or weak HSTS (SSL downgrade) | 3/5 — 60% |
❌ .env or .git/ exposed publicly |
3/5 — 60% |
| ❌ No valid SSL certificate | 1/5 — 20% |
The Good News
Not all vibe-coded apps are insecure. The source code scan found some bright spots:
| Project | Stack | Issues | Notes |
|---|---|---|---|
| Obertura | Vite + TypeScript (chess app) | 0 | ✅ Clean scan. Earned the trust badge |
| Autobot | Node.js CLI + Playwright | 0 | ✅ Clean scan |
| Interior Planner | Next.js + Drizzle + Vercel Blob | 10 | Had proper auth system, env vars, .env.example. Issues were missing route auth — fixable in an afternoon |
Some builders do think about security. But the majority ship fast and find out later.
The Fix
| Problem | Fix | Time |
|---|---|---|
| No CSP | Content-Security-Policy: default-src 'self' |
1 minute |
| No X-Frame-Options | X-Frame-Options: DENY |
1 minute |
| No HSTS | Strict-Transport-Security: max-age=31536000 |
1 minute |
| Exposed .env | Add .env to .gitignore, block at host level |
1 minute |
| Exposed .git | Block /.git/ in hosting config |
1 minute |
| No rate limiting | Add middleware (express-rate-limit, @upstash/ratelimit) | 10 minutes |
That's 15 minutes of work to fix 90% of what we found.
Why This Matters
These aren't weekend experiments. They're live products with real users:
- A maternal health platform with actual mothers depending on it
- An SMS loyalty club with member data
- A parenting app with user accounts
- A SaaS platform
- A production app on Netlify
They're all clickjackable. All have zero XSS protection. Three are leaking credentials to the public internet right now.
Scanned with VibeSafe v1.0. 16 checks: SSL/TLS, security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy), exposed files (.env, .git), CORS, JS bundle secrets, rate limiting. Source code: Trufflehog secrets, Semgrep static analysis, Supabase RLS, Firebase rules, hardcoded credentials, missing auth, Stripe webhook verification, SQL injection.
This content originally appeared on DEV Community and was authored by kg8888
kg8888 | Sciencx (2026-06-23T12:22:27+00:00) I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found. Retrieved from https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.