The 5 security flaws every vibe-coded app ships with

After scanning hundreds of apps built with Lovable, Bolt, v0, Cursor and Replit, the findings cluster hard. The same predictable patterns produce the same predictable holes. Here are the five we see most, in rough order of how often they are critical.

1. Open database access (Supabase RLS / Firestore rules)

The headline issue: a public anon key in front of a database with no row-level policies, or Firestore rules left in test mode (allow read, write: if true). Anyone can read — and sometimes write — everything.

2. Secrets in the browser bundle

Service-role keys and provider secrets prefixed VITE_/NEXT_PUBLIC_ and compiled into client JavaScript. Public by construction. Rotate and move them server-side.

3. Missing security headers

No Content-Security-Policy, no HSTS, no X-Frame-Options. Individually low severity, collectively the difference between a contained bug and a full account takeover via XSS or clickjacking.

4. Exposed source maps and debug routes

Production builds shipping .map files (your original source, comments and all) and leftover /debug, /admin or /api/test endpoints the builder scaffolded and never removed.

5. Weak or missing auth on API routes

Endpoints that trust a client-supplied user id, JWTs signed with a default secret, or the Next.js middleware bypass (CVE-2025-29927). The UI looks gated; the API is not.

None of these require deep security expertise to fix — they require knowing they are there. That is the whole point of a scan: turn "I think it is fine" into a list with a fix prompt next to each item.