Menu
ServicesVibe CheckStoreAboutProcessWorkInsights
Book a Call

Free Download

Built for Lovable, Cursor, Bolt.new, and Replit builders. The security holes AI reliably creates.

In independent testing, 61% of AI-built features were functionally correct. Only 10.5% were secure. (CMU SusVibes, 2025)

LovableCursorBolt.newReplitWindsurfClaude Codev0

What AI doesn't check

These aren't edge cases. They're the default output of every major AI coding tool. The code works. The security doesn't.

CRITICAL·AUTH

Token presence ≠ token validity

AI checks if a token exists. It doesn't check if it's expired, tampered with, or still valid server-side.

CRITICAL·PAYMENTS

No Stripe signature verification

AI builds working Stripe integrations. It almost never adds `stripe.webhooks.constructEvent()`. Anyone can POST a fake payment.

HIGH·DATABASE

Row-level security off by default

Supabase starts with RLS disabled. AI tools add queries that work, but never enable the policies that scope data per user.

HIGH·ENV

NEXT_PUBLIC_ prefix on secrets

In Next.js, any variable prefixed `NEXT_PUBLIC_` is bundled into the client. AI tools add this prefix to make vars "accessible", and accidentally public.

Six categories. Built for AI-generated code.

API Key Exposure

The most common mistake: keys in bundles, git history, and env files

Auth Bypass Patterns

How AI-generated auth code gets bypassed in predictable ways

Webhook Verification Gaps

Unverified payment events that let anyone fake a successful payment

SQL Injection in AI Code

How AI builds queries that look safe but aren't parameterized

CORS Misconfiguration

Wildcard CORS in production; what it means and how to fix it

Session Handling Failures

Token expiration, session fixation, and logout that doesn't actually log out

Get the checklist

Free. Sent to your inbox immediately.

A few items from the list

[ ]Supabase RLS: disabled by default in most Lovable scaffolds. Every user-facing table needs a policy. Check the Supabase dashboard under Authentication > Policies.
[ ]Lovable env vars: any key passed to the frontend is visible in the browser bundle. Verify no STRIPE_SECRET_KEY or OpenAI key appears in devtools > Sources.
[ ]Cursor-generated auth middleware: checks token presence, not token validity. Look for verifyJWT() or equivalent, not just cookies.get().
[ ]Bolt.new Stripe integration: constructEvent() signature check almost never included by default. Without it, anyone can POST a fake payment-succeeded event.
[ ]Replit deployments: .env files sometimes committed to the Repl history. Run git log -p | grep STRIPE to check.
···More in the full checklist

Want someone to actually check your app?

The checklist tells you what to look for. A $349 Vibe Check means a senior developer looks for you, independently, with a full written report and launch verdict in 5 business days.

Get a $349 Vibe Check