Skip to content
New New - every finding now ships with a copy-paste fix prompt for Cursor & Claude. See how

Blog

Latest insights.

Security research, vulnerability guides and best practices for developers who ship fast with AI builders and want to stay secure.

securityJun 10, 20267 min read

Supabase RLS: the default that leaks your whole database

Row-Level Security is off until you turn it on — and AI builders rarely do. Here is exactly how an attacker reads every row with nothing but your public anon key, and how to shut it.

vulnerabilitiesJun 8, 20265 min read

Your VITE_ keys are public: secrets in the browser bundle

Anything prefixed VITE_, NEXT_PUBLIC_ or REACT_APP_ ships to every visitor. AI builders routinely put service-role keys and provider secrets there. Here is how to tell what you leaked.

vibe-codingJun 5, 20268 min read

The 5 security flaws every vibe-coded app ships with

AI builders are fast and produce the same handful of mistakes because the underlying patterns are predictable. These are the five we find on almost every scan — and the quick fix for each.

aeoJun 12, 20266 min read

AEO for vibe-coded apps: getting AI engines to actually cite you

Client-only SPAs are nearly invisible to ChatGPT, Claude and Perplexity. Answer Engine Optimization is making your vibe-coded site crawlable, parseable and citable. Here is what matters.

securityJun 11, 20266 min read

Security headers: the five-minute hardening AI builders skip

CSP, HSTS, X-Frame-Options — a handful of response headers that turn a contained bug into a non-event. AI builders almost never set them. Here is what each one stops and how to add them.

securityJun 9, 20266 min read

Firebase in test mode: the rules that leave your data wide open

Firestore and the Realtime Database ship with a "test mode" that allows anyone to read and write everything. AI builders enable it to get moving and rarely lock it back down. Here is how to tell, and how to fix it.

vulnerabilitiesJun 7, 20265 min read

Login forms that leak passwords: HTTP and cross-origin posts

A password field is only as safe as where it sends the password. AI builders sometimes wire forms to submit over plain HTTP or to a third-party origin — handing credentials to anyone on the network. Here is how to spot it.

vulnerabilitiesJun 6, 20265 min read

Subresource Integrity: closing the CDN supply-chain gap

Every third-party script you load from a CDN runs with full access to your page. If that CDN is compromised, so are you — unless you pinned an integrity hash. Most vibe-coded apps did not.

securityJun 4, 20267 min read

Your API is not as gated as your UI

A login screen protects what the page renders, not what the endpoints return. AI builders gate the UI and leave the API open underneath. Here are the four ways that goes wrong — and how to test for each.