Is your app leaking user data?

89.5% of vibe-coded apps — Lovable, Bolt, v0, Cursor, Replit — have at least one security risk. Scan your deployed app for an exposed Supabase database, open Firebase rules, and leaked API keys in seconds, completely free.

Scan my app free

Broken Row-Level-Security
Your Supabase anon key is public by design — but if RLS is misconfigured, anyone can read your entire database. The #1 leak in AI-built apps, invisible to code scanners.
service_role keys in the browser
A service_role key shipped in your bundle bypasses all database security. We catch it before someone else does.
Open Firebase rules
Public read/write on your Firestore or Realtime Database.
Leaked secrets & vulnerable dependencies
Hardcoded API keys and known-vulnerable packages — with the public-by-design noise filtered out.

Why vibe-coded apps ship insecure

In independent testing of more than 100 AI models, Veracode found that 45% of AI-generated code shipped with a known security flaw — and the rate didn't improve with newer, larger models. AI coding tools optimize for making the app run, so they scaffold with the permissive defaults that reach a working demo fastest: Row-Level Security off, database rules open, API keys inlined into the frontend. It works on the first try, you ship it, and no engineer reviews the parts a human would have locked down.

The result isn't theoretical. CVE-2025-48757 — a single class of missing-RLS bug — left more than 170 live Lovable apps with databases any anonymous visitor could read, modify, or delete.

The most common vulnerabilities in AI-built apps

Exposed Supabase database. Row-Level Security never enabled, so the public anon key can read or write every table — the most common vibe-coding leak.
service_role key in the browser. A secret key that bypasses every database rule, shipped inside the frontend bundle where anyone can extract it.
Leaked API keys & .env secrets. Stripe, OpenAI and other keys hardcoded into client code or an exposed .env file.
Open Firebase / Firestore rules. Database rules left at read / write true, leaving the datastore publicly readable and writable.
Broken object-level auth (BOLA / IDOR). Generated CRUD routes that return another user's record just by changing an ID.
Missing security headers. No HSTS, CSP, or frame protection to block clickjacking, downgrade and injection.
Insecure cookies. Session cookies without Secure / HttpOnly flags, exposed to theft over plain HTTP or injected scripts.
Weak or misconfigured TLS. Outdated protocols and ciphers that let traffic be downgraded or intercepted.

Frequently asked questions

Is the security scan really free?

Yes — paste your deployed app's URL and get a security grade in seconds, with no signup and no install. We email you the full surface report for free; the deep live-backend probe runs only after you verify you own the domain.

What does the scanner actually check?

Your public attack surface: an exposed Supabase database (broken Row-Level Security), service_role and other secret keys shipped in your browser bundle, open Firebase / Firestore rules, leaked API keys and .env secrets, missing security headers, insecure cookies, and weak TLS.

Are apps built with Lovable, Bolt, v0, Cursor or Replit secure?

Often not by default. Veracode's 2025 testing of more than 100 AI models found 45% of AI-generated code contained a known security flaw — and the rate didn't improve with newer, larger models. AI tools optimize for 'it works,' not 'it's locked down,' so vibe-coded apps routinely ship with an exposed database or secrets in the bundle. That's exactly what this scan catches.

Can someone read my database with the Supabase anon key?

If Row-Level Security is missing or misconfigured, yes. The anon key is public by design and ships in your browser bundle — it's only safe when RLS policies actually restrict what it can read.

What's the difference between the Supabase anon key and the service_role key?

The anon key is meant to be public and is safe only when RLS is enforced. The service_role key bypasses RLS entirely and must never reach the browser — if it's in your frontend bundle, anyone can read and write your whole database.

My RLS is enabled but data is still accessible — why?

Turning RLS on without a restrictive policy still leaves tables readable, and a permissive 'using (true)' policy exposes everything. Our live probe reads with your anon key exactly as an attacker would, so it catches RLS that's on but not actually protecting you.

What's the most common vulnerability in vibe-coded apps?

A Supabase database left readable because Row-Level Security was never configured. It's the flaw behind CVE-2025-48757, where 170+ live Lovable apps exposed their full databases to anonymous requests. We check for it on every scan.

What is BOLA / IDOR, and why does it hit AI-built apps?

Broken Object-Level Authorization (also called IDOR) means an endpoint returns another user's record just by changing an ID. AI tools generate CRUD routes without ownership checks all the time, so it's one of the most common flaws in generated backends.

Do I have to own the app I scan?

The passive check reads only data your app already serves to every visitor. The active backend probe requires proving you control the domain — we never probe a site you don't own.

How long does the scan take?

Seconds. The public-surface scan grades your app almost immediately; the deeper backend probe runs after you verify the domain.

Is it safe to run the scanner on my production app, and do you store my data?

Yes. We only read what your app already ships to every visitor's browser — no login, and no secrets stored; evidence is redacted at the source. The deep backend probe is read-only and runs only after you prove you own the domain.