Indie Kit
Indie Kit
FeaturesDocsPricingChangelogDemo
Follow on XGet Indie Kit Pro

6 Security Mistakes Almost Every Vibe-Coded App Makes

AI coding assistants ship code that works, not code that is secure. Here are six common security mistakes in vibe-coded apps and how to fix each one before production.

4 min read·Updated Jul 2026

Table of contents

1. API keys in client-side code2. No rate limiting on API routes3. Auth checks that only exist on the frontend4. Stripe webhooks with no signature verification5. Database rows with no row-level security6. Admin routes protected by "nobody knows the URL"Why this keeps happening

Last month I went back through one of my older projects and did a full security pass on it, specifically looking for holes that AI coding assistants tend to leave behind. I found more than I expected.

If you've built an app recently by describing what you want and letting an AI assistant write most of the code, there's a good chance a few of these are sitting in your codebase right now. None of them are hard to fix once you know to look for them. The problem is that AI tools are optimized to generate code that works, not code that's secure, and those are two different bars.

Here's what to check.

1. API keys in client-side code

If your AI assistant dropped a secret key directly into a React component, or into a .env file that never made it into .gitignore, that key is exposed the moment you deploy. Anyone can open dev tools or your public repo and grab it.

Fix: any call that needs a secret key should go through a server-side function, never the client. The browser should never see a key that isn't explicitly meant to be public.

2. No rate limiting on API routes

Rate limiting almost never shows up by default in AI-generated code, because nobody asked for it explicitly. Without it, your API routes are wide open to being spammed, which can run up your AI or infrastructure bill fast, or make brute-forcing logins trivial.

Fix: add basic rate limiting to any public-facing route, especially auth and anything that calls a paid API on the backend.

3. Auth checks that only exist on the frontend

AI assistants are great at hiding a button when you're not logged in. They're much less consistent about verifying the session again on the server. If the check only lives in the UI, anyone can call your API directly and skip the frontend entirely.

Fix: every protected route needs its own server-side session check. Never trust the frontend to be the only gate.

4. Stripe webhooks with no signature verification

If your webhook handler isn't verifying the signature on incoming events, anyone who finds the endpoint can send a fake "payment succeeded" payload and get free access to your product.

Fix: always verify the webhook signature against your Stripe secret before trusting the payload.

5. Database rows with no row-level security

This one shows up constantly with Supabase projects. Without RLS policies in place, a logged-in user can sometimes read another user's data just by changing an ID in the request, no exploit required, just a modified query.

Fix: set up row-level security policies as part of your initial database setup, not as an afterthought once you have real users.

6. Admin routes protected by "nobody knows the URL"

This is more common than it should be. An admin panel with no auth check, just a URL nobody's supposed to guess, is not a security model. It's a matter of time.

Fix: treat admin routes with at least the same auth rigor as customer-facing ones, ideally more.

Indie Kit

Indie Kit

I baked checks for most of these directly into Indie Kit, the Next.js boilerplate I use for every new project, so I stop rediscovering the same six mistakes on every launch.

Get Indie Kit

Why this keeps happening

None of these mistakes are new or unique to AI-assisted development. They're the same issues developers have shipped since long before any of this tooling existed. What's changed is speed: AI tools let you go from idea to a working deploy in hours, which means the manual review step people used to naturally build in gets skipped entirely. The code runs, it looks done, so it ships.

The fix isn't to slow down your build process. It's to have a checklist you run through before anything hits production, regardless of how it got written.

Frequently asked questions

What are the most common security mistakes in vibe-coded apps?

The most common issues are exposed API keys in client code, missing rate limits, frontend-only auth checks, unverified Stripe webhooks, missing Supabase row-level security, and unprotected admin routes.

Why do AI coding tools create insecure code?

AI assistants optimize for working code, not secure architecture. They skip server-side validation, secrets handling, and production hardening unless you ask for those explicitly.

How can I secure a vibe-coded app before launch?

Run a pre-production checklist: move secrets server-side, add rate limiting, verify sessions on every protected API route, validate webhooks, enable RLS, and lock down admin paths with real auth.

Does Indie Kit help with vibe-coded app security?

Yes. Indie Kit is a Next.js boilerplate with auth, payments, and security patterns built in, so you start from a safer foundation instead of fixing the same mistakes on every project.

Indie Kit

Indie Kit

Ship your SaaS in days, not months

Get Indie Kit

Table of contents

1. API keys in client-side code2. No rate limiting on API routes3. Auth checks that only exist on the frontend4. Stripe webhooks with no signature verification5. Database rows with no row-level security6. Admin routes protected by "nobody knows the URL"Why this keeps happening
CJ Singh
@cjsingg

About the author

CJ Singh

Serial entrepreneur and creator of Indie Kit. I write about shipping SaaS with AI and the security patterns that actually matter in production.

Previously built Crove.app, eSahayak.io, and Formula.dog. 200k+ users across my products.

securityvibe-codingaiindiekitstartup
Indie Kit

Indie Kit

Ship your SaaS in days, not months

Auth, payments, and security checks out of the box.

Get Indie Kit

Read next

20 Security Best Practices for Vibe Coding

20 Security Best Practices for Vibe Coding

A practical guide to keeping your applications secure while using AI coding assistants

5 Things to Know Before Starting an App in Bolt.dev

5 Things to Know Before Starting an App in Bolt.dev

Thinking about building your next project with Bolt.dev? Here are 5 crucial things you need to know about SEO, maintainability, and scaling before you start.

5 Things to Know Before Starting an App in Lovable

5 Things to Know Before Starting an App in Lovable

Thinking about building your next project with Lovable? Here are 5 crucial things you need to know about SEO, maintainability, and scaling before you start.

Indie Kit

Indie Kit is a NextJS starter kit for building your own SaaS in hours.

Product

  • Features
  • Pricing
  • Documentation
  • Changelog
  • With Dodo Payments
  • SaaS Launch Bundle

Resources

  • Blog
  • Lovable → Next.js
  • Install Extension
  • Startup Directories
  • Community
  • Contact
  • Affiliates
  • Vibe Coding Best Practices

Legal

  • Extension Privacy
  • Extension Terms
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy

Alternative

  • Shipfa.st Alternative
  • Shipped Alternative
  • Makerkit Alternative

Social

  • Twitter

Copyright © 2026 Indie Kit