AI Security

How to Scan Your Vibe Coded App for Security Issues

AI tools like Cursor, Bolt, Lovable, and v0 build apps that work and often look great. The problem is they almost never apply security protections. This guide shows you what is missing, how to scan your deployed app in under 30 seconds, and how to fix the most common issues before going live.

SiteSecurityScore Team·12 min read·Updated Apr 30, 2026
Developer coding an application with AI assistance on a laptop

Something fundamental has changed about how software gets built. Millions of people are now shipping real, production apps by describing what they want in plain language to AI tools. You type "build me a SaaS app with user authentication, a dashboard, and Stripe payments" and Cursor, Bolt, Lovable, v0, or Replit writes the code. The app runs. Users sign up. Money changes hands.

This is not a niche trend. The volume of software being built this way is enormous, and it is growing. Many of these apps are genuinely useful products that real people rely on. The problem is not that the code does not work. The problem is what the code does not include.

AI coding tools are trained to produce software that runs correctly. They are not trained to produce software that is secure. The gap between those two things is real, it is consistent across every major AI coding platform, and it creates serious risk for anyone shipping a vibe-coded app to real users. This guide walks you through exactly what is missing, how to detect it, and how to close the gap before you launch.

The vibe coding security gap#

Vibe coding, building software by describing features to AI tools in plain language, changes what kind of work is done by the developer versus the AI. The AI handles writing code. The developer handles deciding what to build. This works remarkably well for functionality. It works poorly for security, not because the AI cannot write secure code, but because security is not part of "making it work."

When you ask an AI to build a web app, it sets up routes, connects to a database, renders a UI, and makes API calls. That sequence covers everything needed to produce a functional product. Security measures sit outside that loop. They require knowing what headers the server should send, what DNS records the domain should have, and what flags cookies should carry. None of those things affect whether the app runs, so AI tools rarely touch them.

There are also structural reasons why specific vulnerabilities appear so consistently. Hardcoded secrets feel convenient at development time. CORS gets opened wide so API calls work during local development and the restriction is never tightened before launch. Environment files are created but not blocked from public access because blocking them requires server configuration knowledge that is outside the scope of "make the feature work."

What AI tools give you

  • Working routes and endpoints
  • Rendering UI components
  • Database queries and mutations
  • API calls to external services
  • User authentication flow
  • Environment variable files (created, not secured)

What security requires

  • Content Security Policy headers
  • HSTS enforcement on all responses
  • CORS restrictions locked to your domain
  • Environment variable access blocked at server level
  • Secure and HttpOnly flags on cookies
  • DMARC record for email spoofing protection

This is not a criticism of AI coding tools. They are doing exactly what they are designed to do. The gap is structural, and it exists for every app built this way. The fix is straightforward once you know what to look for.

Common security issues in AI-generated apps#

These seven issues appear in the vast majority of vibe-coded apps. They range from critical vulnerabilities that expose your secrets to lower-priority gaps that are easy to close once you know they exist.

1

Exposed environment files

HIGH

AI tools create .env files for configuration, but they do not configure the server to block public access to them. Anyone who visits /.env or /.env.local on your deployed app gets your API keys, database connection strings, and secrets in plain text. This is one of the most common and most serious findings in AI-generated apps.

2

API keys in JavaScript bundles

HIGH

Firebase, Stripe, OpenAI, and similar service keys embedded directly in client-side JavaScript are visible to anyone who opens browser DevTools. AI tools add them inline because it makes the code work immediately. In production, these keys should live in server-side environment variables, never in the browser bundle.

3

No Content Security Policy

HIGH

A Content Security Policy (CSP) is a security header that tells browsers which sources of scripts, styles, and images are allowed to load on your page. Without one, injected scripts from ads, browser extensions, or cross-site scripting attacks run freely with access to everything on the page. CSP is almost never present in AI-generated apps because it requires understanding what the app loads and from where.

4

Wildcard CORS

MEDIUM

AI tools set Access-Control-Allow-Origin: * on API servers to prevent development errors. This means any website on the internet can make authenticated-looking API requests to your server. During local development this is harmless. In production, it means a malicious site can call your API endpoints on behalf of your logged-in users.

5

Missing HSTS

MEDIUM

HSTS (HTTP Strict Transport Security) is a header that forces browsers to always use HTTPS for your domain, even if the user types your address without the https:// prefix. Without it, a browser may connect over plain HTTP on the first visit, giving an attacker a window to intercept the connection before the HTTPS redirect kicks in. AI tools almost never set this header.

6

Insecure cookies

MEDIUM

Session tokens and authentication cookies in AI-generated apps frequently lack two critical flags. The HttpOnly flag prevents JavaScript from reading the cookie, which blocks cookie theft via XSS. The Secure flag prevents the cookie from being sent over unencrypted HTTP connections. AI tools generate cookie-setting code correctly but rarely add these flags.

7

No DMARC record

LOW

Without a DMARC record in your DNS, anyone can send email claiming to be from your domain. This is particularly relevant if your app sends transactional email, welcome messages, or password resets. Recipients may receive phishing emails that appear to come from your brand. A basic DMARC policy takes about five minutes to set up and is easy to fix.

Scan your app in 30 seconds#

To run a scan, you need a deployed URL. The scanner tests live HTTP responses, so localhost does not work. Your Vercel, Netlify, Railway, or Fly.io URL is exactly what you need. Even a preview deployment URL works fine.

Go to the vibe code security scanner, enter your URL, and hit scan. The scanner fetches your site's HTTP headers, analyzes any Content Security Policy directives, checks your TLS certificate and HTTPS enforcement, looks for DNS email security records, and attempts to access commonly exposed files like .env. The full analysis runs in under 30 seconds.

What the scanner checks

  • HTTP security headers (CSP, HSTS, X-Frame-Options, Permissions-Policy, and more)
  • Content Security Policy directives and their coverage
  • TLS certificate validity and HTTPS configuration
  • DNS email security records (SPF, DMARC, CAA)
  • Cookie security flags on session and authentication cookies
  • Information disclosure headers that reveal server internals
  • Publicly accessible .env and configuration files

Free scan, no account required

The scan is completely free and takes under 30 seconds. No account, no signup, no credit card. Enter your URL and get results immediately.

Reading your scan results#

Results open with an overall letter grade from A+ to F. The grade gives you a quick read on where your app stands, but the section-by-section breakdown is where the useful information lives.

An A or A+ means all critical security measures are in place. A B grade means minor gaps exist but the risk is low. A C grade means significant issues need attention before the app handles sensitive data. A D or F means critical vulnerabilities are present and the app is not safe for production use with real users.

Most freshly vibe-coded apps land in the D to F range. That is not unusual or alarming. It just means the security layer has not been added yet.

The results are organized into sections: security headers, CSP analysis, TLS and HTTPS, DNS, cookies, and exposed files. Each finding includes a specific fix instruction. These instructions are written to be copy-pasted directly into your codebase or pasted to your AI tool. You do not need to research what the fix should be.

Example scan output (truncated)
$ Scanning https://myapp.vercel.app...

Overall Grade: D

Security Headers
  ✗ Content-Security-Policy     MISSING
  ✗ Strict-Transport-Security   MISSING
  ✓ X-Content-Type-Options      nosniff
  ✗ X-Frame-Options             MISSING
  ✗ Permissions-Policy          MISSING

CSP Analysis
  No Content-Security-Policy header detected.
  Inline scripts and third-party resources are unrestricted.

TLS / HTTPS
  ✓ Valid certificate (expires 2026-09-14)
  ✗ HSTS not enforced on first visit

DNS / Email Security
  ✗ No DMARC record found
  ✓ SPF record present

Exposed Files
  ✗ /.env returned HTTP 200 — file is publicly accessible

Cookies
  ! Session cookie missing HttpOnly flag
  ! Session cookie missing Secure flag

The output above is a realistic example of what a newly deployed vibe-coded app looks like before any security work. Every item marked with a cross is a specific, fixable problem. The items marked with a checkmark are already in place and do not need attention.

Fixing issues using Claude Code or Cursor with MCP#

If you built your app with Claude Code or Cursor, you can connect the SiteSecurityScore MCP connector directly to your editor. MCP (Model Context Protocol) is a standard that lets AI tools call external tools and APIs directly from within a conversation, without leaving the editor or copying results back and forth.

With the connector configured, you can ask your AI to scan your site and fix issues in a single conversation. The AI calls the scanner, reads the results, and then writes the code to address each finding in your actual project files.

~/.claude/settings.json (Claude Code) or ~/.cursor/mcp.json (Cursor)
{
  "sitesecurityscore": {
    "type": "http",
    "url": "https://www.sitesecurityscore.com/mcp",
    "headers": {
      "Authorization": "Bearer YOUR_API_KEY"
    }
  }
}

Replace YOUR_API_KEY with an API key from your SiteSecurityScore account. Once the config is saved, your AI tool can call the scanner as a native tool.

A typical conversation looks like this: you ask "scan https://myapp.vercel.app for security issues and fix what you find." The AI runs the scan, reports back a summary of the findings, and then writes the code. For a Next.js app, it adds the security headers to next.config.js. For an Express server, it adds the appropriate middleware. For cookie issues, it finds the cookie-setting code and adds the missing flags. All in one conversation, without you needing to interpret the results or look up what each fix should be.

For the complete setup guide for Claude Code, see How to Add a Security Scanner to Claude Code with MCP. If you use ChatGPT Codex, the process is covered in How to Add a Security Scanner to ChatGPT Codex with MCP. You can also learn more about the connector at the MCP Connector product page.

Pre-launch security checklist#

Before you share your URL publicly, go through each of these checks. You do not need to complete all of them in one session, but the HIGH severity items should be resolved before the app handles real user data.

1

Run a full scan on your deployed URL at SiteSecurityScore.

2

Fix any HIGH severity findings before you share the URL publicly.

3

Confirm .env files return 404 by visiting /.env in your browser. If you see your config, block the file immediately.

4

Verify your API keys are not visible in page source. Right-click the page, choose View Page Source, and search for key names like "sk-", "pk_live", or "AIza".

5

Check that HTTPS is enforced and that visiting your app over plain HTTP redirects to HTTPS.

6

Confirm authentication cookies have the HttpOnly and Secure flags if your app uses sessions or JWT cookies.

7

Set up a DMARC record if your app sends email from your custom domain.

8

Re-scan after fixing to confirm all issues are resolved before launch.

Going through this list once before launch takes about 30 minutes. The scan itself is under 30 seconds. The fixes, especially with an AI tool doing the implementation, are usually fast. Most vibe-coded apps can go from a D grade to a B grade in a single focused session.

Frequently asked questions#

References

OWASP Top 10 Web Application Security Risks(OWASP)Content Security Policy Level 3(W3C)
Was this helpful?
Share

Continue reading

How to Add a Security Scanner to Claude Code with MCP

Connect SiteSecurityScore to Claude Code via MCP and scan sites without leaving your editor.

How to Add a Security Scanner to ChatGPT Codex with MCP

Set up the MCP connector in ChatGPT Codex and get security fixes inline as you code.

Website Security Best Practices

A comprehensive guide to the security measures every production website should have in place.

Scan your vibe coded app now

Free security analysis. No account required. Results in under 30 seconds.

Scan Your AppGet the MCP Connector