← Back to Labs

Vibe-code security audit

Close the classic vulnerabilities in a vibe-coded project one by one and watch the security score climb to production-ready.

security score0critical statefindings (10 open / 0 fixed)Service role key in ..Row Level Security d..Passwords stored as ..JWT stored in localS..No input validation ..Hardcoded admin emai..No rate limiting on ..No Content Security ..CORS wildcard with c..Dependencies 18 mont..criticalhighmediumlowfixed
criticalService role key in browser bundle

The all-powerful admin key for your database is being sent to every user that visits your site. Anyone can open DevTools and use it to read or delete everything.

fix: Move all admin database calls to a server route. Only the public anon key belongs in the browser.

Fresh audit of a vibe-coded Supabase + Next.js project. Ten issues found. Fix them one by one and watch the security score climb.

Shortcuts: 1-9, 0 toggle finding · F fix next · A fix all · X reset
Tap a finding to toggle. Use Fix All to see the target state.
Read the full article →Take the quiz →