Everyone's shipping apps with AI now. Nobody's checking if they're secure. We checked.
In the last six months, a new wave of apps has flooded the internet. Built with Lovable, Bolt, Cursor, and ChatGPT. Shipped in days instead of months. Deployed to Vercel and Netlify with a single click.
They call it "vibe coding" — and it's producing apps at a pace the internet has never seen.
We wanted to know: are these apps secure?
So we scanned 274 of them. Production apps, live on the internet, built by indie makers and AI-assisted developers. We checked for exposed secrets, missing security headers, leaked source code, open databases, and dozens of other common vulnerabilities.
The results were sobering.
Out of 274 apps we successfully scanned, the average security score was 78 out of 130 — a solid C. Not failing. Not great. Just... unprotected in ways that matter.
| Grade | Count | Percentage | What It Means |
|---|---|---|---|
| A | 1 | 0.4% | Properly secured |
| B | 53 | 19.3% | Good, a few gaps |
| C | 155 | 56.6% | Missing important protections |
| D | 47 | 17.2% | Seriously exposed |
| F | 18 | 6.6% | Wide open |
One app out of 274 got an A. One. And zero got an A+.
Here's the thing nobody tells you about deploying to Vercel, Netlify, or Cloudflare: they handle the basics brilliantly — and nothing else.
94% of vibe-coded apps have no Content Security Policy. That means if an attacker finds any way to inject a script — a compromised CDN, a malicious ad, an XSS bug — the browser will happily execute it. No questions asked.
The gap between "what the platform gives you" and "what security actually requires" is massive. And almost nobody is crossing it.
This is the one that should make you sweat.
Out of 274 apps, 17 had actual API keys or secrets baked into their client-side JavaScript bundles. Not public keys (like Stripe publishable keys, which are designed to be public). Real secrets. The kind that lets someone make API calls as you, access your backend services, or rack up charges on your account.
These aren't obscure secrets hidden in minified code. Our scanner found them automatically by scanning the JavaScript files that every visitor downloads. If our scanner can find them, so can anyone else.
How this happens: When you build with AI coding tools, it's easy to paste a secret into your code and forget it's there. The AI doesn't warn you. The framework doesn't stop you. And once it's in a JavaScript bundle, it's public forever — even after you remove it from your source code, anyone who cached the old bundle still has it.
Move secrets to environment variables. Access them server-side only. Never import them in files that get bundled for the browser. This takes about 5 minutes.
Source maps are files that let you debug your code during development. They contain your original, readable source code — variable names, comments, file structure, everything.
16 apps (5.8%) shipped source maps to production. That means anyone can download their full source code, study how the app works, read internal comments, and find the exact weak points to attack.
The fix is one line in your build config:
// Next.js — next.config.js
productionBrowserSourceMaps: false
// Vite — vite.config.js
build: { sourcemap: false }That's it. One boolean. But 1 in 17 apps hasn't set it.
Here's a security irony: robots.txt — the file that tells search engines what not to index — is also a roadmap for attackers.
48 apps (17.5%) had robots.txt files that listed paths we could actually access. "Hey Google, please don't look at our /admin panel, our /api/internal endpoints, or our /staging environment." When we checked those paths? They were wide open.
robots.txt is not a security mechanism. It's a polite request. Hackers don't follow polite requests.
If you have sensitive paths, protect them with authentication — don't just ask Google not to look.
Security headers are instructions your server sends to the browser: "Don't run unauthorized scripts." "Don't embed this page in someone else's site." "Only connect over HTTPS."
They're the simplest, most effective security improvement you can make. And almost nobody does.
| Header | Missing | What You Lose |
|---|---|---|
| Permissions-Policy | 97.4% | Camera, mic, and geolocation unrestricted by default |
| Content Security Policy | 93.8% | No XSS protection. Any injected script runs freely. |
| X-Frame-Options | 90.5% | Your page can be embedded in a fake site (clickjacking) |
| Referrer-Policy | 55.5% | Full URLs leak to external sites when users click links |
| X-Content-Type-Options | 52.6% | Browsers may execute files as code when they shouldn't |
| HSTS | 23.0% | Users can be downgraded from HTTPS to HTTP |
97.4% of vibe-coded apps don't set a Permissions-Policy. That means any third-party script loaded on the page could theoretically access the user's camera or microphone — unless the user has blocked it in their browser settings.
Adding all of these headers takes about 10 minutes. For Vercel, it's a vercel.json file. For Netlify, it's a _headers file. Copy, paste, deploy.
Out of 274 apps, exactly one earned an A: a Nuxt.js app on Cloudflare that scored 113 out of 130.
What did it do differently?
| Check | Status |
|---|---|
| Every cookie marked secure and HttpOnly | Passed |
| TLS 1.3 with no legacy protocol support | Passed |
| No information leakage headers | Passed |
| SPF and DMARC configured for email | Passed |
| Clean Safe Browsing record | Passed |
| No exposed source maps, secrets, or files | Passed |
| COEP / Cross-origin isolation | Missing |
| SRI on external scripts | Missing |
| DNSSEC | Missing |
The gap between this app and the average isn't talent or budget. It's awareness. Someone on the team knew what to check. That's it.
We also mapped what these 274 apps are built on:
Cloudflare dominates. Nearly half of all vibe-coded apps are behind Cloudflare's CDN. Vercel is second, with Next.js as the most common framework.
This is good news for baseline security — Cloudflare and Vercel handle TLS, DDoS protection, and cookie security well. But it also means the missing security headers problem could be fixed at the platform level. If Vercel shipped a default Content-Security-Policy header, the 94% number would drop overnight.
If you've vibe-coded an app and deployed it, there's a good chance you're sitting in that C-grade majority. The platform gave you the basics. The AI wrote the code. But nobody checked the security headers, nobody scanned for secrets in the bundle, and nobody set up a Content Security Policy.
The good news: every issue we found takes less than 30 minutes to fix. Most take less than 5.
The bad news: if you don't fix them, anyone can find them. We built an automated scanner and ran it against 274 apps in 8 minutes. It's not hard. And we're not the only ones scanning.
Enter your URL. Get your grade in 30 seconds.
Every issue explained in plain English with copy-paste fixes.
We compiled a list of 328 production apps from directories that showcase AI-built and vibe-coded projects: madewithlovable.com, madewithbolt.com, builtusingcursor.com, vibejam entries, and several curated lists. Of these, 274 were reachable and successfully scanned.
Every check is read-only. We never attempted to log in, write data, or exploit any vulnerability. We checked publicly accessible HTTP headers, JavaScript bundles, common file paths, and DNS records — all things visible to any visitor.
Our scanner runs 65+ individual checks including: security header analysis, JavaScript secret scanning (45 regex patterns with false-positive filtering), exposed file detection, source map discovery, CMS-specific probes, TLS configuration, DNS security records, CORS policy testing, and Safe Browsing status.
No site names are associated with specific vulnerabilities in this report. All statistics are presented in aggregate.
Previously: We Scanned 81 Websites. Only 2 Passed. — our first study, including major sites like CNN, NYTimes, Wix, and Twitter.