Blog · 2026-07-03 · 5 min

Vibe-coding security checklist — API keys & Supabase RLS

The security items AI builders miss most, and what to verify before you deploy.

AI builders ship working code fast, but often miss security. Multiple studies of vibe-coded apps found many deployed with no auth or exposed sensitive data. Verify these before you ship.

1. Is Supabase RLS on?

Missing RLS is the biggest slice of vibe-app security incidents. A public anon key on the frontend is normal — but with RLS off, that key alone lets anyone read entire tables. Enable RLS policies on every table with sensitive data.

2. No API keys in the frontend bundle?

Server keys (OpenAI, Anthropic, Stripe) in client JavaScript leak immediately. Handle secrets only server-side; keep only publishable keys on the frontend.

3. No source maps / .env / .git exposed?

Shipping .map, .env, or .git to production reveals your code structure and secrets. Disable source maps in your build and exclude these from the output.

4. Is auth checked on the server?

AI-made code often checks auth only on the frontend — 'pretend to be logged in' and it's bypassed. All authorization decisions must happen server-side.

5. Re-check every deploy?

Every AI edit can introduce a new vulnerability. Treat each deploy as a risk event and run an automated check every time.

VibeCheck also checks deploy hygiene — source map exposure, frontend API keys, .env/.git access, missing security headers — and grades it.

How much does your site show?

Check your stack and vibe score from a single URL.

Check a site →