I Scanned 5 Real Apps With A Security Scanner

I built VibeSafe to scan AI-generated code. I tested it on 5 real apps from the Vibe Coding Showcase.

The results are bad.

All 5 apps had security issues. Zero apps had a Content Security Policy. I found 33 total problems.

The breakdown:

  • 6 Critical issues
  • 9 High issues
  • 18 Medium issues

Here is what I found in the apps:

App 1: Maternal health platform This app leaks data.

  • .env files are public. Anyone can take your credentials.
  • The .git folder is exposed. Anyone can download your entire code history.
  • No XSS protection.
  • No rate limiting on login.

App 2: SMS loyalty platform This follows the same pattern as App 1.

  • Public .env files.
  • Public .git folder.
  • No security headers.
  • No auth protection.

App 3: SaaS platform Built by an experienced CTO, but still had holes.

  • The .git folder was leaked.
  • Python cache directories were public.
  • No XSS protection.

App 4: Parenting app This was the best of the group, but still risky.

  • SSL and .env files were safe.
  • No XSS protection.
  • No rate limiting on sign-in. This allows brute-force attacks.

App 5: Netlify product

  • The SSL certificate is invalid.
  • Browsers block this site for being unsafe.

Summary of common risks:

  • No Content Security Policy: 100% of apps
  • No X-Frame-Options: 100% of apps
  • No rate limiting: 80% of apps
  • Exposed .env or .git files: 60% of apps

You can fix 90% of these issues in 15 minutes.

How to fix them:

  • Add Content-Security-Policy: 1 minute
  • Add X-Frame-Options: 1 minute
  • Add HSTS: 1 minute
  • Block .env and .git files: 1 minute
  • Add rate limiting middleware: 10 minutes

These are not small experiments. These are live products with real users. They handle health data, SMS data, and user accounts. Most are currently vulnerable to data theft and clickjacking.

Source: https://dev.to/amrakg93/i-scanned-5-real-vibe-coded-apps-with-a-security-scanner-heres-what-i-found-4a04