Security for apps built with AI

Ship your app.
Not your secrets.

You built something great with Lovable, Bolt, Cursor or Claude Code. But AI ships fast, and it quietly leaves keys exposed, databases open, and logins missing. Harbova finds those holes and closes them, before someone else does.

No account · no credit card · results in under a minute

harbova — vibe check
$ harbova scan https://my-app.lovable.app
scanning
a real scan takes under a minute

This isn't rare. It's the default.

62%

of AI-generated code ships with at least one security weakness.

OX Security, 2025

28.6M

secrets and API keys were leaked to public GitHub in a single year — and AI-assisted commits leak them about twice as often.

GitGuardian State of Secrets, 2026

170+

AI-built apps were found in one disclosure with databases anyone on the internet could read, because the access rules were never turned on.

CVE-2025-48757 (public research)

The four things that go wrong

Almost every AI-built app fails on the same handful of basics. Here's what we look for, in plain English.

01

Leaked keys & secrets

The API key that could run up a five-figure bill on your account.

  • Keys hard-coded in your front-end code
  • Secrets committed to your Git history
  • Service keys exposed where the browser can read them
02

Open databases

The #1 vibe-coding mistake: a database anyone can read or edit.

  • Supabase tables readable with the public key (RLS off)
  • Firebase rules left in test mode
  • Storage buckets open to the world
03

Missing or broken logins

Pages and actions that should require a login, but don't.

  • Admin routes anyone can reach
  • Users able to see each other's data
  • Password and session weaknesses
04

The front door

The basics that quietly get skipped when AI ships fast.

  • Missing security headers and HTTPS settings
  • Unprotected API endpoints
  • AI-specific risks like prompt injection in your chat features

Whatever you built it with

The security tools built into Lovable or Bolt only check their own platform, and only whether a rule exists, not whether it actually works. Harbova covers every AI coding tool, and a human verifies what the scanners miss.

Lovable

Supabase apps with the RLS holes their own scanner misses

Bolt

Front-end secrets and unauthenticated API routes

Cursor

No built-in security review at all

Claude Code

Fast to ship, easy to leave a key in a commit

Replit

Public by default until you change it

v0

Great UI, unguarded back-end

Windsurf

Same stack, same blind spots

Base44 & others

If AI wrote it, we can check it

Start free. Go as deep as you need.

A free scan tells you what's exposed. When you're ready, a human digs into the code and we fix what we find.

Compare packages

Vibe Check

Free

A free, instant look at what's exposed on your live app.

Run a free scan

Deep Audit

$500

A human-verified review of your whole codebase, not just the surface.

Book a Deep Audit
Most popular

Audit + Fix

from$1900

We find the problems and we fix them, then prove they're closed.

Get Audit + Fix

Continuous Shield

$290/mo

Stay safe as you keep shipping with AI.

Talk about Shield

Find out what you left open.

One minute. Your live URL. A plain-English report of everything a stranger could get to right now.