AI-generated code works. But "works" and "secure" aren't the same thing. If your vibe-coded app handles user data, processes payments, or is accessible on the public internet, security isn't optional — even for a prototype.
This guide covers the most common security issues in AI-generated code and practical steps to address them. You don't need to be a security expert, but you do need to understand the risks.
Why AI-Generated Code Has Security Issues
AI models learn from vast amounts of code — including code with vulnerabilities. They optimize for making things work, not for making things safe. Security is often about what you don't do (don't expose secrets, don't trust user input, don't store passwords in plain text), and AI tools can miss these negative requirements.
The result: code that passes every functional test but fails basic security reviews.
This isn't theoretical. In May 2025, security researchers found that several popular vibe coding tools generated apps with exploitable vulnerabilities — including exposed API keys, SQL injection, and insecure authentication.
The Most Common Vulnerabilities
Exposed API keys and secrets
This is the number one issue. AI tools often hardcode API keys, database credentials, or secret tokens directly in the frontend code — where anyone can see them by viewing the page source.
What goes wrong: Your Stripe secret key, Supabase service role key, or third-party API credentials are visible to anyone who opens browser developer tools.
What to check: Search your codebase for any strings that look like keys or tokens. In a properly configured app, secrets should only exist in environment variables on the server, never in client-side code.
Red flags: Any file in your public folder or client-side code containing strings like sk_live_, supabase_service_role, API_KEY, or long random-looking strings.
Insecure authentication
AI tools generate authentication that works for demos but may not be production-secure:
- Weak password requirements: No minimum length, no complexity rules
- Missing rate limiting: An attacker can try thousands of passwords per second
- Insecure session handling: Sessions that don't expire, tokens stored in localStorage (vulnerable to XSS), or sessions that survive password changes
- No email verification: Anyone can sign up with any email address, including yours
What to check: Try logging in with a 1-character password. Try logging in wrong 100 times — does anything stop you? Check if your session persists after you change your password in another browser.
SQL injection and NoSQL injection
When user input is inserted directly into database queries without sanitization, attackers can manipulate the query to access, modify, or delete data.
What goes wrong: A search field that passes user input directly to a database query. An attacker types ' OR 1=1 -- and gets access to all records.
What to check: If you're using Supabase or Firebase with their official client libraries and Row Level Security (RLS), you're mostly protected. If the AI wrote custom SQL queries, that's where injection risk lives.
Cross-Site Scripting (XSS)
When your app displays user-generated content without sanitizing it, attackers can inject JavaScript that runs in other users' browsers.
What goes wrong: A user submits a comment containing <script>steal_cookies()</script>. When other users view that comment, the script executes in their browser.
What to check: Try submitting <script>alert('xss')</script> in any text input. If an alert box appears, you have an XSS vulnerability. Modern frameworks (React, Next.js) escape output by default, but AI-generated code sometimes bypasses this with dangerouslySetInnerHTML or similar patterns.
Missing access controls
The AI might build a page where users can only see their own data — but only on the frontend. The API endpoint still returns everyone's data, and anyone with basic technical knowledge can call it directly.
What goes wrong: Your app shows each user their own profile. But hitting /api/users/123 returns user 123's data regardless of who's asking. An attacker can enumerate all user IDs and download your entire user database.
What to check: Open your browser's developer tools, find the API calls your app makes, and try changing IDs or parameters. Can you access other users' data?
Insecure file uploads
If your app accepts file uploads (profile pictures, documents), AI-generated code may not validate what's being uploaded.
What goes wrong: An attacker uploads a malicious file disguised as an image, or uploads a massive file that crashes your server, or uploads to a path that overwrites existing files.
What to check: Does the upload accept any file type? Is there a file size limit? Are uploaded files served from a separate domain or CDN (to prevent script execution)?
Security by Architecture
Some architectural choices are inherently more secure. If you can influence these decisions, prefer:
Use established auth providers
Don't let the AI build authentication from scratch. Use Supabase Auth, Firebase Auth, Auth0, or Clerk. These services handle password hashing, session management, rate limiting, and security patches. Your vibe-coded app just connects to them.
Enable Row Level Security (RLS)
If you're using Supabase, enable RLS on every table. This means even if your API code has bugs, the database itself enforces who can see and modify which rows. It's a safety net that catches access control failures.
Keep secrets server-side
API keys and credentials should only exist in server-side code or environment variables. If your app builder offers server functions or API routes, use them for anything involving secrets. Never put credentials in client-side code.
Use HTTPS everywhere
Most hosting platforms (Vercel, Netlify, Cloudflare Pages) provide HTTPS by default. Make sure your app doesn't make any HTTP (non-HTTPS) requests, especially for authentication or data submission.
A Practical Security Checklist
Before putting any vibe-coded app on the internet with real users, check these:
- No hardcoded secrets in client-side code
- Authentication uses an established provider (Supabase Auth, Firebase Auth, etc.)
- Passwords require at least 8 characters
- Users can only access their own data (test by manually changing IDs in API calls)
- File uploads are validated (type, size) if applicable
- HTTPS is enforced everywhere
- Database has Row Level Security enabled (if using Supabase)
- User input is sanitized before display (test with
<script>tags) - Error messages don't expose internal details (no stack traces, file paths, or SQL queries shown to users)
- Rate limiting exists on login and signup endpoints
You don't need to be a security expert to run through this list. Most items can be verified in under 5 minutes each.
When to Get Professional Help
Some situations require a real security review:
- You're handling payment information — PCI compliance is legally required
- You're storing health data — HIPAA compliance isn't optional
- You're handling EU user data — GDPR has specific technical requirements
- You're building for enterprise customers — they'll ask for SOC 2 compliance or security questionnaires
- Your app has been breached or you suspect a vulnerability — get expert help immediately
A professional security audit for a small app typically costs $2,000–10,000. If your app handles sensitive data at any scale, this is money well spent.
The Right Level of Paranoia
Not every vibe-coded app needs enterprise security. Match your security investment to your risk:
Personal project or internal tool (low risk): Run through the checklist above. Fix any obvious issues. That's enough.
Public app with user accounts (medium risk): Checklist plus: use an auth provider, enable RLS, keep secrets server-side. Consider a basic security review before launch.
App handling money or sensitive data (high risk): All of the above plus a professional security audit. Consider whether vibe coding is the right approach for the sensitive components — it might be worth having a developer build the security-critical parts.
The Bottom Line
AI-generated code isn't inherently insecure, but it doesn't prioritize security either. The good news: most vulnerabilities in vibe-coded apps are well-known patterns with straightforward fixes. A 30-minute security check can catch 80% of issues.
Don't let security anxiety stop you from building. Do let it stop you from deploying sensitive features without a basic review.
Next Steps
- Read: What Can You Build with Vibe Coding? — understand what's realistic
- Read: When to Stop Vibe Coding — know when to bring in professional help
- Read: The Hidden Costs of Vibe Coding — budget for security reviews
- Browse tools — see which tools have better security defaults