5 Security Risks Every Vibe-Coded App Has (And How to Fix Them)

We've scanned thousands of startup websites built with AI coding tools. The same 5 security issues show up over and over. Most founders don't realize they're vulnerable until someone exploits it.

1. API keys in JavaScript bundles

This is the big one. AI coding tools often put API keys directly in client-side code because you pasted them into the prompt or they were in your .env and the tool didn't know to exclude them. Stripe secret keys, OpenAI API keys, Supabase service role keys, Firebase admin credentials — we find them every day.

How to fix: Move all secret keys to server-side environment variables. In Next.js, only variables prefixed with NEXT_PUBLIC_ should be in client code — and those should only be publishable keys (like Stripe's publishable key), never secret keys.

2. Exposed .env files

Some deployment configurations accidentally serve .env files as static assets. Anyone can visit yoursite.com/.env and see your database credentials, API keys, and secrets. This is especially common with static site deployments and misconfigured Vercel/Netlify setups.

How to fix: Add .env to your .gitignore (most frameworks do this by default). Verify by trying to access yoursite.com/.env in a browser — if you see anything other than a 404, you have a problem.

3. Missing security headers

AI coding tools almost never add security headers. No Content-Security-Policy, no X-Frame-Options, no Strict-Transport-Security. This leaves your app vulnerable to XSS attacks, clickjacking, and MIME sniffing.

How to fix: Add security headers in your next.config.js or vercel.json. At minimum, add Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.

4. Source maps in production

Source maps expose your entire original source code to anyone who opens browser DevTools. AI coding tools often leave source maps enabled in production builds. This means anyone can read your business logic, find hardcoded secrets you missed, and understand your app's architecture.

How to fix: Set productionBrowserSourceMaps: false in your Next.js config. For other frameworks, check the build configuration for source map settings.

5. No rate limiting on API routes

Vibe-coded apps typically have API routes that hit external services (OpenAI, Stripe, databases) with zero rate limiting. An attacker can spam your endpoints, rack up your API bills, or brute-force your authentication. We've seen OpenAI bills hit $500+ overnight from unprotected endpoints.

How to fix: Add rate limiting to every public API route. Use an IP-based rate limiter with reasonable limits (e.g., 10 requests per minute for expensive operations).

Scan your app in 30 seconds

Our free security scanner runs 19 passive checks on any URL — exposed API keys in JS bundles, .env file access, missing headers, source maps, directory listing, and more. It takes 30 seconds, requires no signup, and gives you a security grade (A-F) with specific fix instructions.