I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found

I’ve been building VibeSafe — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.

I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.

The results are worse…


This content originally appeared on DEV Community and was authored by kg8888

I've been building VibeSafe — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.

I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit.

The results are worse than I expected.

Executive Summary

5 out of 5 apps had security issues. Zero had a Content Security Policy. 33 total findings.

Severity Count
🔴 CRITICAL 6
🟠 HIGH 9
🟡 MEDIUM 18
TOTAL 33

1. NewMom.help — Bolt + Supabase

Built by a non-technical founder. Maternal health platform. 1M+ impressions at launch.

🔴 CRITICAL — VibeSafe verdict: "Your app is leaking data"

Category Status Detail
🔴 Exposed Files FAIL .env and .env.local publicly accessible — anyone can grab credentials
🔴 Source Control FAIL /.git/ exposed — full repo history downloadable
🟠 CSP Header FAIL Content-Security-Policy missing — zero XSS protection
🟠 HSTS Header FAIL Strict-Transport-Security missing — SSL downgrade possible
🟡 X-Frame-Options FAIL Missing — clickjacking vulnerability
🟡 X-Content-Type-Options FAIL Missing — MIME-sniffing attacks possible
🟡 Referrer-Policy FAIL Missing — referrer leakage
🟡 Auth Rate Limiting WARN /api/auth/login detected — no rate limiting

11 issues found (4 critical, 2 high, 3 medium, 2 low)

2. Disko.is — Replit + React

SMS loyalty platform with member data. Built by a solo founder in Iceland.

🔴 CRITICAL — Same pattern as NewMom

Category Status Detail
🔴 Exposed Files FAIL .env and .env.local publicly accessible
🔴 Source Control FAIL /.git/ exposed — full repo downloadable
🟠 CSP Header FAIL Content-Security-Policy missing
🟠 HSTS Header FAIL Strict-Transport-Security missing
🟡 X-Frame-Options FAIL Missing — clickjackable
🟡 X-Content-Type-Options FAIL Missing
🟡 Referrer-Policy FAIL Missing
🟡 Auth Rate Limiting WARN Auth endpoint without protection

11 issues found (4 critical, 2 high, 3 medium, 2 low)

3. AltCloud.dev — Lovable + Bolt + Supabase

Built by an experienced CTO. SaaS platform.

🔴 CRITICAL — Git history and server internals exposed

Category Status Detail
🔴 Source Control FAIL /.git/ exposed — full repo leaked
🟠 CSP Header FAIL Content-Security-Policy missing
🟠 Server Internals FAIL __pycache__/ directory exposed publicly
🟡 X-Frame-Options FAIL Missing — clickjackable
🟡 Auth Rate Limiting WARN Auth endpoint without rate limiting

Notable: This was the only app that handled environment variables properly in source code — no committed .env files. But the live site was leaking git history and Python cache directories.

7 issues found (2 critical, 2 high, 2 medium, 1 low)

4. SleepingBaby.info — Cursor + Next.js + MongoDB

Parenting app by a solo developer. Entire app built in 450 tokens.

🟠 HIGH RISK — Best of the bunch, but still gaps

Category Status Detail
✅ SSL/TLS PASS Valid certificate
✅ .env Files PASS No exposed environment files
✅ .git Directory PASS Not exposed
🟠 CSP Header FAIL Content-Security-Policy missing — zero XSS protection
🟡 X-Frame-Options FAIL Missing — clickjackable
🟡 X-Content-Type-Options FAIL Missing — MIME-sniffing risk
🟡 Auth Rate Limiting FAIL /api/auth/signin — no rate limiting, brute-force possible

6 issues found (0 critical, 1 high, 3 medium, 2 low)

5. RemedyHunt.com — Bolt + Supabase + Netlify

Live product on Netlify. Built by a non-technical founder.

🔴 CRITICAL — SSL certificate invalid, browser blocks the site

Category Status Detail
🔴 SSL/TLS FAIL Certificate is INVALID — certificate verify failed. Browsers show a security warning
🟡 Accessibility FAIL Could not check headers — no valid HTTPS connection

2 issues found (1 critical, 0 high, 1 medium)

The Common Thread

Issue Apps Affected
❌ No Content Security Policy (XSS protection) 5/5 — 100%
❌ No X-Frame-Options (clickjacking) 5/5 — 100%
❌ No X-Content-Type-Options (MIME sniffing) 4/5 — 80%
❌ No Referrer-Policy (referrer leakage) 4/5 — 80%
❌ Auth endpoint without rate limiting 4/5 — 80%
❌ No or weak HSTS (SSL downgrade) 3/5 — 60%
.env or .git/ exposed publicly 3/5 — 60%
❌ No valid SSL certificate 1/5 — 20%

The Good News

Not all vibe-coded apps are insecure. The source code scan found some bright spots:

Project Stack Issues Notes
Obertura Vite + TypeScript (chess app) 0 ✅ Clean scan. Earned the trust badge
Autobot Node.js CLI + Playwright 0 ✅ Clean scan
Interior Planner Next.js + Drizzle + Vercel Blob 10 Had proper auth system, env vars, .env.example. Issues were missing route auth — fixable in an afternoon

Some builders do think about security. But the majority ship fast and find out later.

The Fix

Problem Fix Time
No CSP Content-Security-Policy: default-src 'self' 1 minute
No X-Frame-Options X-Frame-Options: DENY 1 minute
No HSTS Strict-Transport-Security: max-age=31536000 1 minute
Exposed .env Add .env to .gitignore, block at host level 1 minute
Exposed .git Block /.git/ in hosting config 1 minute
No rate limiting Add middleware (express-rate-limit, @upstash/ratelimit) 10 minutes

That's 15 minutes of work to fix 90% of what we found.

Why This Matters

These aren't weekend experiments. They're live products with real users:

  • A maternal health platform with actual mothers depending on it
  • An SMS loyalty club with member data
  • A parenting app with user accounts
  • A SaaS platform
  • A production app on Netlify

They're all clickjackable. All have zero XSS protection. Three are leaking credentials to the public internet right now.

Scanned with VibeSafe v1.0. 16 checks: SSL/TLS, security headers (CSP, HSTS, XFO, XCTO, Referrer-Policy), exposed files (.env, .git), CORS, JS bundle secrets, rate limiting. Source code: Trufflehog secrets, Semgrep static analysis, Supabase RLS, Firebase rules, hardcoded credentials, missing auth, Stripe webhook verification, SQL injection.


This content originally appeared on DEV Community and was authored by kg8888


Print Share Comment Cite Upload Translate Updates
APA

kg8888 | Sciencx (2026-06-23T12:22:27+00:00) I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found. Retrieved from https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/

MLA
" » I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found." kg8888 | Sciencx - Tuesday June 23, 2026, https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/
HARVARD
kg8888 | Sciencx Tuesday June 23, 2026 » I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found., viewed ,<https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/>
VANCOUVER
kg8888 | Sciencx - » I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/
CHICAGO
" » I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found." kg8888 | Sciencx - Accessed . https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/
IEEE
" » I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found." kg8888 | Sciencx [Online]. Available: https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/. [Accessed: ]
rf:citation
» I Scanned 5 Real Vibe-Coded Apps With a Security Scanner — Here’s What I Found | kg8888 | Sciencx | https://www.scien.cx/2026/06/23/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.