Skip to content
New New - every finding now ships with a copy-paste fix prompt for Cursor & Claude. See how
All posts
securityJun 4, 20267 min read

Your API is not as gated as your UI

A login screen protects what the page renders, not what the endpoints return. AI builders gate the UI and leave the API open underneath. Here are the four ways that goes wrong — and how to test for each.

The most expensive misunderstanding in vibe-coded apps is treating the UI as the security boundary. A model adds a login page, hides the dashboard behind it, and the app feels protected. But every button on that dashboard calls an API, and those endpoints are reachable directly — with curl, with the network tab, with a script — regardless of whether your React app ever rendered a login screen.

Authorization has to live on the server, on every request. When it does not, you get one of four recurring holes.

1. Trusting a client-supplied identity (IDOR)

The endpoint reads a user id or record id from the request and returns whatever matches — without checking that the caller owns it. Change /api/orders/123 to /api/orders/124 and you read someone else's order. The fix is to derive identity from the verified session, never from a parameter the client controls, and to scope every query to that identity.

2. Tokens you can forge

JWTs signed with a default or weak secret ("secret", "changeme", a value copied from a tutorial) can be re-signed by anyone who guesses it, minting a valid session for any user or role. Use a long random secret from your environment, verify the algorithm, and reject the "none" algorithm outright.

3. Framework bypasses

Auth that lives in a layer with a known escape hatch — like the Next.js middleware bypass (CVE-2025-29927), where a crafted header skips middleware entirely — protects nothing. Keep frameworks patched, and do not rely on middleware as your only gate; enforce authorization in the handler too.

4. CORS that hands the API to any origin

A permissive CORS policy — reflecting any Origin, or a wildcard combined with credentials — lets a malicious site call your authenticated API from a victim's browser. Allow only the origins you actually serve, and never pair Access-Control-Allow-Credentials with a wildcard origin.

How to test

  • Log in, copy a request from the network tab, then replay it with curl after removing the session — does it still return data?
  • Increment or swap ids in resource URLs and watch for objects that are not yours.
  • Decode your JWT (jwt.io) and check the algorithm and whether the secret is guessable.
  • Send an Origin: https://evil.example header and see what Access-Control-Allow-Origin comes back.

VibeSafely probes for IDOR-style access, weak JWT secrets, the Next.js middleware bypass and CORS misconfiguration directly against your endpoints — because the only way to know your API is gated is to call it the way an attacker would.

See what your app left exposed.

One free scan, sixty seconds, no credit card — every finding with a copy-paste fix.

Scan my site — free