298 Issues Found in
Vibe-Coded Apps

Supabase Row Level Security disabled exposes your entire database to any authent…

Supabase anon key visible in your JavaScript bundle lets anyone bypass your app …

The Supabase service_role key bypasses all RLS policies. If it appears in your f…

OpenAI API key visible in client-side JavaScript lets anyone charge unlimited AP…

Stripe secret key (sk_live_) in your frontend gives anyone the ability to issue …

Missing Content-Security-Policy header leaves your app open to XSS attacks and d…

Missing Strict-Transport-Security header allows downgrade attacks. Users can be …

Missing X-Frame-Options allows your app to be embedded in iframes on other sites…

Missing X-Content-Type-Options: nosniff allows browsers to MIME-sniff responses,…

Without Referrer-Policy, your full URL (including tokens and query params) is se…

Your app is missing all five essential security headers: CSP, HSTS, X-Frame-Opti…

Supabase REST endpoints callable without authentication expose your data to unau…

CORS set to wildcard (*) or wrong origins lets malicious websites make authentic…

A hardcoded Resend API key lets anyone send emails from your domain. Spammers ac…

Firebase config in your frontend is expected but must be paired with strict Fire…

Critical and high npm vulnerabilities in your dependencies can be exploited dire…

Constructing SQL queries with string interpolation lets attackers inject malicio…

Rendering user-supplied HTML or JavaScript without sanitization enables stored X…

Without CSRF tokens, malicious websites can trigger authenticated actions in you…

API endpoints without rate limiting are vulnerable to brute-force attacks, crede…

/admin routes accessible without role verification give any logged-in user admin…

Webhook endpoints that don't verify the provider signature can be triggered by a…

A .env file committed to git permanently exposes all your API keys — even after …

API keys removed from code but still in git history are permanently exposed. Use…

NODE_ENV=development in production enables verbose error logging, disables secur…

Stack traces in browser error responses reveal file paths, library names, and in…

HTTP requests not redirected to HTTPS allow session hijacking over unencrypted c…

Open redirects in your auth or login flow let attackers craft phishing URLs that…

Without X-Frame-Options or CSP frame-ancestors, attackers embed your app in invi…

Auth tokens in URL query strings appear in browser history, server logs, Referer…

Session cookies without Secure and HttpOnly flags are accessible via JavaScript …

RLS policies with TRUE conditions or missing row ownership checks create false s…

Supabase RLS with basic policies often misses edge cases: team memberships, shar…

Misconfigured OAuth redirect URIs or missing state parameters enable authorizati…

Trusting JWT claims without signature verification lets attackers forge tokens w…

Session tokens valid for months or years mean a single stolen token gives attack…

Path traversal allows attackers to access files outside intended directories usi…

File uploads without type validation let attackers upload HTML, JavaScript, or P…

SSRF lets attackers make your server fetch internal cloud metadata, scan interna…

GraphQL introspection enabled in production reveals your entire API schema to at…

A public Supabase Storage bucket exposes all uploaded files to anyone with the U…

Frontend-only validation is bypassed trivially with curl or browser DevTools. Al…

A Postgres or Supabase database URL in client-side code gives anyone direct data…

Loading scripts from third-party CDNs without Subresource Integrity checks allow…

Prototype pollution vulnerabilities in npm packages let attackers inject propert…

Personally identifiable information stored in plaintext creates GDPR liability a…

Insecure password reset flows allow account takeover via token enumeration, user…

Without security event logs you cannot detect breaches, investigate incidents, o…

Dangling DNS records pointing to deprovisioned services allow attackers to claim…

Race conditions in payment or quota endpoints allow users to exploit the check-t…

Logging request bodies, error objects, or environment variables can expose API k…

Packages more than 2 major versions behind typically have multiple known CVEs an…

Content injection through unvalidated user data in emails, PDFs, or API response…

IDOR lets users access other users' resources by changing an ID in the URL or re…

Apps without MFA leave user accounts vulnerable to credential stuffing and phish…

Passwords, tokens, and PII appearing in server logs create a secondary exposure …

API keys that never rotate remain valid indefinitely after any exposure event. I…

Configuration files with 644 permissions on shared hosting expose your secrets t…

Health check endpoints, debug routes, and admin APIs exposed publicly reveal sys…

Missing <title> tags mean Google picks arbitrary text for your search listing. A…

Meta titles over 60 characters are truncated in Google search results, cutting o…

Multiple pages sharing the same meta title create cannibalization — Google does …

Missing meta descriptions force Google to generate a snippet from page content, …

Meta descriptions over 160 characters are cut off in search results. Trim to 150…

Pages sharing identical meta descriptions signal to Google that content is dupli…

Pages without an H1 tag lack a clear topic signal for Google. Add one H1 per pag…

Multiple H1 tags dilute the page's primary topic signal. Use exactly one H1 per …

Without sitemap.xml, Google discovers your pages by crawling links only — slow a…

A sitemap that omits important pages leaves them undiscoverable by Google. Audit…

Google and Bing discover sitemaps faster when referenced in robots.txt. Add Site…

Without robots.txt, search engines crawl everything including admin pages, API r…

A robots.txt with Disallow: / blocks all crawlers from all pages — your site wil…

Without canonical tags, Google must guess which URL is authoritative when multip…

A canonical tag pointing to a different page tells Google to consolidate this pa…

Without Open Graph tags, social shares show generic or no preview images. Add og…

Without an og:image, social shares show a blank card or a random image from the …

OG images not at 1200×630px appear cropped, stretched, or misaligned on social p…

Without twitter:card meta tags, X/Twitter shows a plain link instead of a rich p…

Images without alt text are invisible to Google Image Search, miss keyword oppor…

Alt text like "image", "photo", or a string of keywords provides no value. Write…

Broken internal links waste crawl budget, damage user experience, and signal a p…

Pages with no internal links from other pages cannot build PageRank or topical a…

Orphan pages with zero internal links are effectively invisible to Google's craw…

URLs like /products?id=123 are harder for Google to crawl and understand than /p…

Generic URLs like /page/123 miss the opportunity to include keywords that reinfo…

Having both /page and /page/ treated as different URLs splits PageRank and creat…

Without Organization schema, Google and AI assistants cannot reliably identify y…

FAQPage JSON-LD schema can trigger rich FAQ snippets in Google and helps AI assi…

BreadcrumbList schema lets Google show your site hierarchy in search results, im…

SaaS and app websites without SoftwareApplication schema miss rich result opport…

Schema markup with syntax errors or missing required fields is ignored by Google…

LCP over 2.5 seconds fails Google's Core Web Vitals threshold and directly hurts…

CLS over 0.1 means your page jumps around as it loads — frustrating users and hu…

INP over 200ms means user interactions feel sluggish. Long JavaScript tasks bloc…

Google uses mobile-first indexing — your mobile version is what gets ranked. Unr…

Buttons and links smaller than 44×44px fail mobile usability guidelines, causing…

Without viewport meta tag, mobile browsers zoom out to fit desktop layouts — mak…

Render-blocking resources delay First Contentful Paint and LCP. Add async/defer …

Serving 2MB+ PNG images when 100KB WebP would suffice is the single biggest cont…

Loading all images on page load wastes bandwidth and delays LCP. Add loading="la…

Sites without valid SSL certificates are marked "Not Secure" in Chrome and penal…

Pages with under 300 words or superficial coverage of a topic are filtered out b…

Identical or near-identical content on multiple URLs splits ranking signals. Use…

Two pages targeting the same keyword compete against each other in Google, confu…

Broken social previews when sharing your URL reduce word-of-mouth amplification.…

Pages excluded from Google's index receive zero organic search traffic. Debug in…

Without analytics you cannot see which pages drive traffic, where users drop off…

Without Google Search Console you are flying blind on indexing, rankings, and te…

Failing LCP, CLS, and INP simultaneously puts you in the lowest performance tier…

Sites with multiple language versions need hreflang tags so Google serves the ri…

A fixed-width layout that does not adapt to mobile screens fails Google's mobile…

Sites with zero structured data miss all rich result opportunities and provide w…

Broken external links (404s on other sites) signal to Google that your content i…

Content only visible after JavaScript executes is slower to index and may not be…

Client-only SPAs without SSR or SSG have poor SEO by default. Use Next.js server…

Jumping from H1 to H4 without H2/H3 breaks content structure signals. Use a logi…

Over 53% of mobile users abandon pages that take more than 3 seconds to load. Fi…

A missing favicon looks unprofessional in browser tabs and bookmarks. Add a 32×3…

Blocking GPTBot, ClaudeBot, and PerplexityBot prevents ChatGPT, Claude, and Perp…

GPTBot blocked in robots.txt means ChatGPT cannot read your content. Allow GPTBo…

Blocking ClaudeBot prevents Anthropic's Claude from reading your content for cit…

PerplexityBot blocked means Perplexity AI cannot cite your content. Perplexity u…

llms.txt is the emerging standard for telling AI assistants what your site offer…

An llms.txt with missing sections or broken URLs provides partial value to AI cr…

FAQ sections are the primary content pattern AI assistants use to generate direc…

HowTo JSON-LD schema transforms your step-by-step guides into structured data AI…

AI crawlers often do not execute JavaScript. Client-side-only content is invisib…

AI assistants prioritize content that directly answers questions in the first se…

Without JSON-LD schema, AI assistants and Google AI Overview cannot extract stru…

Perplexity primarily uses Bing's index. Without Bing Webmaster Tools, Bing may c…

Content without explicit question-answer formatting is harder for AI to extract …

Experience, Expertise, Authoritativeness, and Trust signals help Google and AI a…

Google AI Overview pulls from the top-ranked sources for informational queries. …

ChatGPT Browse cites pages with clear factual content, strong domain authority, …

Perplexity AI uses Bing's index plus its own crawler. Optimize with Bing Webmast…

Person and Author schema links your content to a named entity with credentials —…

div-soup HTML without semantic tags (article, section, main, nav, aside) makes i…

Long content pages without a table of contents are harder for AI to navigate. A …

AI assistants need substantive content to extract useful quotes from. Pages unde…

Content without data points, statistics, or research citations is less likely to…

Content without citations to credible external sources appears less authoritativ…

Sites without topic clusters lack the topical authority that AI systems use to i…

A pillar page is a comprehensive resource covering your core topic — the hub tha…

Sites without glossary pages and definition content miss "what is X" queries ent…

Without proper entity schema (Organization, Product, Person), Google and AI assi…

Glossary pages capture definitional queries ("what is X") and are highly citeabl…

JavaScript-only navigation, single-page routing without URL changes, and missing…

If AI cannot extract a clear "X is a tool that does Y for Z" from your homepage,…

Unstructured prose is harder for AI to parse than bullet lists and tables. Forma…

Google can rank individual passages from long pages. Structure your content so e…

Voice search uses conversational queries that expect direct spoken answers. Opti…

Featured snippets appear above rank #1 and directly feed into AI Overview and vo…

Breadcrumb navigation improves user experience, signals site hierarchy to Google…

If your brand name is shared with other entities, add disambiguation signals in …

A low AI citation score means ChatGPT, Perplexity, and Claude rarely mention you…

Content without social proof, case studies, or expert endorsements appears less …

Stale content with old dates or outdated information is deprioritized by AI syst…

Speakable schema marks the best sections for voice reading and AI audio summarie…

TTFB over 800ms means your server is slow before any content renders. Optimize s…

FCP over 1.8 seconds means users see a blank or loading screen for too long. Fix…

JavaScript bundles over 300KB delay page interactivity. Implement code splitting…

Shipping JavaScript code that is never executed wastes bandwidth and delays pars…

Scripts in the document head without async or defer block the browser from rende…

Unminified CSS with comments and whitespace adds unnecessary bytes. Enable CSS m…

Web fonts loaded without font-display: swap cause invisible text (FOIT) or layou…

Intercom, Hubspot, Hotjar, and similar scripts add 200-500ms of main thread bloc…

Without proper Cache-Control headers, browsers re-download static assets on ever…

Serving all content from a single server location adds 200-500ms of latency for …

PNG and JPEG images are 2-3× larger than WebP equivalents. Use Next.js Image com…

Serving a 2000px image in a 400px container wastes bandwidth. Use the sizes prop…

DOM trees over 1,500 elements slow layout, style recalculations, and reflow. Red…

TBT over 300ms means the main thread is blocked by long tasks, making the page u…

Shipping all JavaScript in a single bundle forces users to download code for fea…

N+1 queries, missing indexes, and fetching entire tables for single values make …

Uncompressed HTTP responses are 60-80% larger than Brotli-compressed ones. Enabl…

HTTP/1.1 serializes requests with limited parallelism. HTTP/2 multiplexes connec…

Serverless cold starts add 1-5 seconds to TTFB for inactive routes. Reduce bundl…

The browser discovers critical assets late when parsing HTML sequentially. Add <…

Tasks taking over 50ms block the browser from responding to user input. Use sche…

Dynamically injected content (ads, embeds, cookie banners) that shifts existing …

Without dns-prefetch and preconnect for external domains, each new domain adds 1…

API endpoints responding over 500ms create visible delays for users. Profile you…

Fetching and rendering all records at once creates slow queries, large DOM sizes…

React components that don't clean up subscriptions, intervals, and event listene…

Components that re-render on every parent update waste CPU and contribute to poo…

Re-computing the same data on every request wastes server resources and increase…

Identical database queries on every request add unnecessary latency. Cache read-…

Fetch chains where A loads then triggers B then triggers C create waterfalls. Pa…

Google Analytics, Mixpanel, and similar scripts loaded synchronously block FCP a…

Intercom, Crisp, and Tidio chat widgets add 100-400KB of JavaScript that blocks …

External CSS files block rendering until downloaded. Inline the critical CSS nee…

Flash of Unstyled Text causes content to re-render when web fonts load, contribu…

A Lighthouse score under 50 means fundamental performance problems that require …

Mobile Lighthouse scores often 30-40 points lower than desktop signal mobile-spe…

Apps without a service worker cannot cache assets offline, pre-cache critical ro…

Serving only AVIF or WebP without PNG/JPEG fallbacks breaks older browsers. Use …

Redirect chains (A → B → C → D) add a full round-trip per hop. Reduce to a singl…

Without DNS prefetch hints, the first request to each external domain waits for …

Lovable generates working Supabase apps but skips RLS configuration. Every Lovab…

Lovable apps sometimes wire AI APIs directly in the frontend. Any key in a Lovab…

Lovable apps launch without meta tags, sitemaps, or robots.txt. Follow this comp…

Lovable apps on .lovable.app URLs are not indexed by Google for your brand. Conn…

Lovable apps often score 30-50 on Lighthouse mobile due to unoptimized images an…

Make your Lovable app visible to ChatGPT, Perplexity, and Claude. Allow AI crawl…

Lovable apps have no monitoring by default. Add Pantra for security monitoring, …

Before launching your Lovable app, verify: RLS enabled, API keys secured, custom…

Lovable's default auth setup often lacks rate limiting on login, missing MFA opt…

Webhook endpoints in Lovable apps often lack signature verification. Anyone can …

Cursor excels at Next.js but common security mistakes persist: missing auth on A…

Cursor-generated API routes often lack authentication middleware. Any unauthenti…

Cursor sometimes suggests NEXT_PUBLIC_ prefixes for secrets that should stay ser…

Cursor builds fast Next.js apps but rarely adds SEO configuration. Add metadata …

Cursor-generated Supabase schemas often lack RLS policies. Check every table and…

Cursor generates fully-featured apps that can have performance issues: large bun…

Cursor-built apps need the same GEO optimization as any other app. Allow AI craw…

Cursor apps deployed to Vercel need proper environment variable configuration, p…

Cursor speeds up development but leaves infrastructure gaps. Use this checklist …

TypeScript types do not prevent runtime security issues. Cursor-generated code w…

Bolt.new apps frequently ship with exposed API keys, missing security headers, a…

Bolt.new projects often hard-code API keys in StackBlitz files that are publicly…

Bolt.new apps launch without SEO metadata, sitemaps, or structured data. Add the…

Bolt apps using Supabase, Firebase, or other databases need proper security rule…

Bolt-generated auth flows often miss rate limiting, session management, and secu…

Bolt.new apps often have large unoptimized bundles and no CDN caching. Optimize …

Bolt apps need AI search optimization: allow AI crawlers, add llms.txt, structur…

The five most common production mistakes in Bolt apps: exposed keys, no RLS, mis…

Bolt apps have no monitoring by default. Add error tracking, analytics, and secu…

Before taking your Bolt.new app live, verify security, SEO, performance, and mon…

v0 generates beautiful React components but may include dangerouslySetInnerHTML,…

v0 generates client components by default. Before deploying, convert pure displa…

v0 generates client-side API integrations that may expose secrets. Move all API …

v0 generates beautiful UI but no SEO metadata. Add metadata exports, OpenGraph, …

v0-generated forms include client-side validation but no server-side validation.…

v0 components often fetch data directly in useEffect without auth checks. Move d…

v0 generates client-heavy React components. Optimize performance by converting t…

v0-generated apps need AI search optimization to be visible in ChatGPT and Perpl…

Before deploying your v0-based app to production, check security (API keys, auth…

v0 apps need production monitoring: error tracking, analytics, and security scan…

Replit apps have specific security concerns: exposed Replit-hosted databases, pu…

Replit projects set to Public expose all code and any hardcoded secrets. Use Rep…

Replit's built-in database is not suitable for production. Use Supabase with RLS…

Replit Deployments need proper environment configuration, security headers, and …

Replit apps often deploy to replit.app URLs without SEO configuration. Add a cus…

Replit's shared infrastructure can create latency. Optimize cold start times, ad…

Add AI search visibility to your Replit app with robots.txt AI crawler permissio…

Before taking your Replit app live, verify: private project, Replit Secrets conf…

Connecting Supabase to a Replit app requires secure credential storage in Replit…

Replit apps need external monitoring since Replit's built-in logs are ephemeral.…

Shipping fast without thinking about security creates compounding vulnerabilitie…

AI coding tools generate functional but often insecure code. Common vulnerabilit…

Accepting and shipping every AI code suggestion without review accumulates bugs,…

No tests means every AI edit is a potential regression with no safety net. Add t…

AI coding tools add npm packages without evaluating their security, maintenance …

AI-generated schemas often lack proper indexes, foreign keys, constraints, and m…

AI-generated code often lacks try/catch, graceful error states, and user-friendl…

Custom AI-generated auth flows contain common mistakes: no rate limiting, insecu…

AI-generated payment flows often expose Stripe secret keys, skip webhook verific…

AI integrations with Resend, Twilio, Notion, and other APIs often expose keys an…

AI-generated API routes have no rate limiting — brute force attacks, scraping, a…

Apps built with AI tools often have no structured logging. Without logs, debuggi…

AI tools often hardcode URLs, IDs, and limits directly in code rather than using…

Vibe-coded apps implement validation in React forms but skip server-side validat…

Secrets in code, wrong .gitignore setup, and shared API keys across environments…

MVP shortcuts that disable RLS, allow all CORS, or skip auth "temporarily" becom…

First-day launches of vibe-coded SaaS products face real security risks: scanner…

Vibe-coded apps collecting user data often lack proper protection: no encryption…

Vibe-coded apps collecting EU user data must comply with GDPR: privacy policy, c…

AI-generated UI often lacks keyboard navigation, ARIA labels, and sufficient col…

AI-generated schemas and queries work for 100 rows but fail at 100,000. Review d…

Rapid AI-assisted development creates technical debt faster than traditional cod…

Vibe coding sessions often produce messy commit history, direct main branch comm…

Manual deployments without CI/CD allow untested code to reach production. Add Gi…

Testing directly in production is high-risk. Set up a staging environment with a…

Verbose debug logging and error details shipped to production expose internal im…

AI coding assistants sometimes generate plausible-looking but incorrect security…

AI coding sessions often use admin-level credentials where read-only access woul…

Vibe-coded apps rarely have backup strategies. Supabase Pro includes daily backu…

AI features that process user input as part of LLM prompts are vulnerable to pro…

AI coding tools create functional apps fast but introduce security gaps, SEO mis…

Security audits should run before launch, after each major deployment, and autom…

Supabase apps need specific security audit steps: RLS verification, key exposure…

Manual security reviews miss regressions introduced by new features. Automated d…

Daily security scanning catches new vulnerabilities within 24 hours of introduct…

A practical SEO audit guide for indie hackers: what to check, what tools to use,…

This launch security checklist covers every critical security item for vibe-code…

After launch, security monitoring continues. Set up daily scans, configure alert…

Automated security tools like Pantra catch systematic vulnerabilities instantly.…

Solo founders and small teams cannot afford a dedicated security team. Here is a…

The 10 most important security practices for vibe-coded SaaS products: RLS, API …

Automated scanners find your app within hours of launch. Use Pantra to discover …

Everything a vibe coder needs to know about security: from the most common AI co…

You don't need a security background to build secure vibe-coded apps. Learn the …

The five most common SaaS security mistakes in 2025: disabled RLS, exposed API k…

Security monitoring costs $19-79/month. A single prevented breach saves thousand…

AI coding tools make development fast and security gaps easy to create. Here is …

Match your audit frequency to your deployment cadence and risk profile. Daily mo…

SEO can regress silently when new features change page structure. Set up automat…

AI search visibility can change as AI systems re-crawl and re-index your content…