📅 June 23, 2026 📁 Security ⏱ 8 min read

I Scanned 5 Vibe-Coded Apps With VibeSafe — Here's What I Found

I built VibeSafe — a security scanner specifically for AI-generated code. So I decided to put it to work on real apps.

I grabbed 5 vibe-coded products from the Vibe Coding Showcase and ran them through the full audit: 8 source code checks + 8 live site checks. The scanner does everything automatically — SSL check, security headers, exposed files, CORS, secrets scanning, auth coverage, and more.

The results are worse than I expected.

🔴 5 out of 5 apps had security issues. Zero had a Content Security Policy.

Severity	Count
🔴 CRITICAL	6
🟠 HIGH	9
🟡 MEDIUM	18
Total	33

The Scan Results

1. NewMom.help — Bolt + Supabase

Built by a non-technical founder. 1M+ impression launch on Twitter. A maternal health support platform.

🔴 CRITICAL — VibeSafe: "Your app is leaking data"

11 issues found: 4 critical, 2 high, 3 medium, 2 low

🔴/.env — publicly accessible. Anyone can read your database credentials and API keys.
🔴/.env.local — publicly accessible.
🔴/.git/config — exposed. Full git history downloadable.
🔴/.git/HEAD — exposed.
🟠Content-Security-Policy missing — no XSS protection.
🟠Strict-Transport-Security missing.
🟡X-Frame-Options missing — clickjacking possible.
🟡X-Content-Type-Options missing — MIME-sniffing risk.
🟡Referrer-Policy missing.

2. Disko.is — Replit + React

An SMS loyalty platform built by a solo founder in Iceland. Real users, real member data.

🔴 CRITICAL — Same pattern as NewMom

11 issues found: 4 critical, 2 high, 3 medium, 2 low

🔴/.env — publicly accessible.
🔴/.env.local — publicly accessible.
🔴/.git/config — exposed.
🔴/.git/HEAD — exposed.
🟠CSP missing, HSTS missing.
🟡XFO, XCTO, Referrer-Policy all missing.

3. AltCloud.dev — Lovable + Bolt + Supabase

Built by an experienced CTO. A SaaS platform.

🔴 CRITICAL — Git history exposed

7 issues found: 2 critical, 2 high, 2 medium, 1 low

🔴/.git/config — exposed. Full repo downloadable.
🔴/.git/HEAD — exposed.
🟠CSP missing — no XSS protection.
🟠/__pycache__/ — Python cache directory exposed.
🟡X-Frame-Options missing.
🟡Auth endpoint without rate limiting.

4. SleepingBaby.info — Cursor + Next.js + MongoDB

A parenting app built by a solo developer. Entire app written in 450 tokens via Cursor.

🟠 HIGH RISK — Best of the bunch, but still gaps

6 issues found: 0 critical, 1 high, 3 medium, 2 low

🟠CSP missing — no XSS protection.
🟡X-Frame-Options missing — clickjackable.
🟡X-Content-Type-Options missing.
🟡/api/auth/signin — no rate limiting. Brute-force attack surface.
✅No .env or .git leaks. Cleanest scan of the 5.

5. RemedyHunt.com — Bolt + Supabase + Netlify

A live product. Built by a non-technical founder.

🔴 CRITICAL — SSL invalid, browser blocks the site

2 issues found: 1 critical, 0 high, 1 medium

🔴SSL certificate is INVALID. Certificate verify failed. Browsers show a security warning.
🟡Could not reach URL to check headers — no valid HTTPS.

The Silver Lining

Not all vibe-coded apps are insecure. The source code scan told a different story for some projects:

Obertura (Android chess app, Vite + TypeScript) — 0 issues. Clean scan. Earned the VibeSafe trust badge.
Autobot (Node.js CLI, Playwright) — 0 issues. Clean scan.
Interior Planner (Next.js + Drizzle + Vercel Blob) — had a proper auth system with better-auth, used environment variables, had clear .env.example. 10 findings but all were missing auth on API routes — fixable in an afternoon.

Some builders do think about security. But the majority ship fast and find out later.

The Pattern

Every app was missing Content Security Policy — the single most important defense against XSS.

Every app was missing X-Frame-Options — clickjacking protection.

3 out of 5 were leaking .env files or .git/ directories to the public internet.

1 didn't even have a working SSL certificate.

Why This Matters

These aren't experiments. They're real products with real users:

A maternal health support platform
An SMS loyalty club with member data
A parenting app with user accounts
A SaaS platform
A live product on Netlify

And they're all clickjackable. All have zero XSS protection. Three are leaking credentials to anyone who checks.

The Fix Is Simple

One CSP header. One X-Frame-Options header. One .gitignore entry. These are 5-minute fixes that most vibe coders don't know to make.

# Add to your hosting config (Vercel, Netlify, Cloudflare):
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains

# Add to .gitignore:
.env
.env.local
.env.production

That catches 90% of what we found.

Methodology

All scans performed with VibeSafe scanner v1.0. The audit includes:

Post-launch checks (live site): SSL/TLS certificate validity, security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), exposed sensitive files (.env, .git, __pycache__), CORS misconfiguration, secrets in JavaScript bundles, rate limiting on auth endpoints.

Pre-launch checks (source code): Trufflehog secret scan, Semgrep static analysis (OWASP top-10 ruleset), Supabase RLS configuration, Firebase security rules, hardcoded credentials in all source files, API routes missing authentication, Stripe webhook signature verification, SQL injection via string concatenation.

Scan your own app

16 security checks on your source code and live site. Plain-English report with exact fixes.

Scan My App →