If you built an app with Lovable, Bolt, Cursor, Claude Code, Replit, or v0 in the last year, this is for you. Not to scare you. To save you the very bad week that a lot of builders are about to have.
I build software with these tools every day. I love them. One person can now ship what used to take a team. But after auditing a pile of AI-built apps, I kept seeing the same handful of problems, on app after app, regardless of which tool built it. So I turned the checks into a scanner. It now runs on any live URL in under a minute, and it almost never comes back empty.
Here is what it keeps finding.
1. The database is wide open
This is the big one. Modern AI tools love Supabase and Firebase, and they are great. But there is one setting, Row Level Security, that decides whether your database is private or whether anyone on the internet can read it. AI ships fast and often leaves it off, or turns it on without a rule that actually blocks anyone.
The result: I can open your app, grab the public key that ships in your front-end (it is meant to be public), and read your entire users table from a browser tab. Names, emails, whatever you stored.
This is not theoretical. A public disclosure in 2025 (CVE-2025-48757) found more than 170 AI-built apps with databases anyone could read, for exactly this reason.
The fix: turn on Row Level Security for every table, and write a policy so each user can only read their own rows. If you use Firebase, get your rules out of test mode.
2. A secret key is sitting in your front-end
AI writes code that works. To make an API call work quickly, it will sometimes drop the API key straight into the front-end, where the browser can read it. Anyone who opens your site can copy it.
If that key is for a paid service, someone can run up a bill on your account. People have woken up to five-figure charges from a key that leaked overnight. GitGuardian found more than 28 million secrets leaked to public GitHub in a single year, and AI-assisted commits leak them about twice as often as human ones.
The fix: never put a secret key in front-end code. Keep it in a server-side environment variable and make the call through a small API route. If a key already leaked, rotate it today.
3. Pages that should need a login, do not
AI builds the admin dashboard. It looks great. But the check that says 'only let admins in' is easy to skip, because the page renders fine without it during development. So /admin sits there, unlinked but reachable, one guess away.
The same thing happens at the data layer: user A can load user B's data just by changing an ID in the URL.
The fix: put the auth check on the server, before the page renders, and make sure every record query is scoped to the person asking.
4. The safety nets are missing
Security headers, HTTPS settings, a content security policy. None of these cause a breach on their own. They are the seatbelts. AI tends to skip them because the app works without them, and they quietly turn one small bug into a big one.
The fix: add a short set of response headers. It is a ten-minute job with an outsized payoff.
Why the built-in scanners are not enough
Lovable and Bolt have started adding their own security checks, which is great and tells you the problem is real. But two things:
They only check their own platform. If you built with Cursor, Claude Code, Replit, or v0, you are on your own.
And they mostly check whether a rule exists, not whether it actually works. A database can have Row Level Security on and still hand out every row if the policy is wrong. The only way to know is to actually test it, the way an attacker would.
What to do about it
If you have a live app with real users, do this today:
- Scan it. Paste your URL into a scanner and see what is exposed from the outside. If it finds an open database or a leaked key, treat it as urgent.
- Fix the criticals first. Open database and leaked keys are the ones that hurt. The rest can wait a week.
- Get a real look at the code before you scale or take on a client who cares about security. A scanner sees the outside. The auth logic and the business logic are on the inside.
The point is not to be scared of these tools. It is to enjoy them without the bad week. A ten-minute scan and one afternoon of fixes is a lot cheaper than a leak.
Run the free scan on your app. It takes under a minute, no account needed. You will probably be surprised.
Scan my app free