The security checkvibe-coding skips.
AI builders optimize for “make it work,” not “make it safe” — and nearly half of AI-generated code ships with a known vulnerability. Run this gate before your first public launch: mark six controls, get one verdict, and find the one thing to fix first.
The app runs. That isn't the same as the app being safe.
of AI-generated code ships with at least one known vulnerability when reviewed without human oversight.
vibe-coding fault of 2026: a secret — an API key, a database credential — left in client-side JavaScript.
from launch to a 1.5M-token breach in the headline 2026 case: a public DB key in the client with no access control.
None of these are exotic. They are the same handful of failure modes — exposed secrets, broken auth, missing validation — that repeat across every builder and every breach write-up. The fix isn't hard; it's a checklist you run before you launch. This gate is that checklist with a verdict.
Mark six controls. Get one verdict — and the gate.
No API keys, DB creds, or tokens in client JS or committed code.
Every sensitive endpoint checks a valid session server-side — not frontend-only.
Inputs validated; parameterized queries; SQLi / XSS / prompt-injection defended.
Dependencies real & audited; no hallucinated or slop-squatted packages.
Prod hides stack traces and schemas; no exposed source maps.
Ownership / row-level access tested by calling endpoints as another user.
Gate: a fatal control (Server-side auth on every sensitive route) is scored 0 — DO NOT SHIP regardless of the 78 score. Lift it to at least 1 and the gate releases.
Fix first: Server-side auth on every sensitive route
Runs entirely in your browser and resets on reload. The downloadable engine and workbook produce the identical verdict from the same marks. Scores the app you describe, not people.
The same verdict from a runnable, offline engine.
The download ships a zero-dependency Python engine. Point it at a CSV of apps and it returns the identical score, verdict, and fix-first the demo and workbook produce. Here is the shipped 7-app sample:
==================================================================
VIBE-CODED APP PRE-LAUNCH SECURITY GATE as of 2026-06-28
==================================================================
Stripe Checkout MVP
Score 78/100 -> DO NOT SHIP
GATE: fatal fault (Server-side auth on every sensitive route) at 0 -> DO NOT SHIP regardless of score
Fix first: Server-side auth on every sensitive route
Internal Ops Dashboard
Score 100/100 -> LAUNCH-READY
Waitlist Landing + Form
Score 85/100 -> LAUNCH-READY
Fix first: Input validation & injection defense
AI Resume Reviewer
Score 50/100 -> HARDEN FIRST
Fix first: Secrets out of the client bundle & repo
Community Forum (Lovable)
Score 32/100 -> DO NOT SHIP
GATE: fatal fault (Secrets out of the client bundle & repo) at 0 -> DO NOT SHIP regardless of score
Fix first: Secrets out of the client bundle & repo
Booking Widget
Score 87/100 -> LAUNCH-READY
Fix first: Dependency & supply-chain integrity
Habit Tracker (Bolt)
Score 67/100 -> HARDEN FIRST
Fix first: Server-side auth on every sensitive route
==================================================================
BATCH ROLLUP: BLOCK LAUNCH
==================================================================The Stripe Checkout MVP scores 78 — a LAUNCH-READY number — and still reads DO NOT SHIP, because it ships one open sensitive route. That is the gate doing its job: a high average can't hide one fatal fault.
Six controls. Two of them are fatal on their own.
Secrets out of the client bundle & repo
gateNo API keys, database credentials, or tokens in client JavaScript or committed code. The #1 vibe-coding vulnerability of 2026 and a fatal control on its own.
Server-side auth on every sensitive route
gateEvery sensitive endpoint verifies a real session server-side — not a frontend-only check an attacker bypasses by calling the API directly. The second fatal control.
Input validation & injection defense
Inputs validated, queries parameterized, output encoded — SQL injection, XSS, and prompt injection all defended at the boundary.
Dependency & supply-chain integrity
Every dependency is real and audited; no hallucinated or slop-squatted packages; the lockfile is pinned.
No verbose errors, debug, or source maps in prod
Production hides stack traces and schemas, logs no tokens, and ships no source maps that hand an attacker a map of your code.
Access control actually tested
Ownership and row-level access tested by calling endpoints as a different user — not assumed because the code 'looks right.'
A launch decision, not a scanner — and not the hardening itself.
- A deterministic go/no-go you run at the launch moment, from marks you enter.
- A single verdict with a dispositive gate that catches the two fatal faults a high score hides.
- Stack-agnostic — Lovable, Bolt, v0, Replit, Cursor, Claude Code, or hand-assembled.
- An engine, a workbook, and a demo that all return the same number.
- Not a scanner, SAST tool, or penetration test — it connects to nothing and uploads nothing.
- Not the depth hardening work (that's the Hardening Kit it routes you to).
- Not a guarantee or a certification — fixing what it catches is on you.
- Not a score of any person; it grades the app artifact only.
A readiness aid, not a security audit. It scores the marks you enter for the app you describe — it never scans, connects to, or runs your app, and it scores no person. Pair it with static analysis, a manual review, and (for apps handling payments, regulated, or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.
If an AI built most of your app and it's about to go live.
- Founders and indie hackers shipping a vibe-coded MVP to real users.
- No-code and low-code builders without a security reviewer on the team.
- Agencies clearing a client's AI-built app before they put their name on the launch.
- Anyone who's about to flip a Lovable / Bolt / Replit app from preview to public.
- Teams that need code-level findings — run a scanner and a manual review instead.
- Regulated, payment, or high-risk apps as the only review — add professional security counsel.
- Anyone wanting an automatic fix; this decides go/no-go and names the fault, you do the work.
Decide here. Harden, build, and govern next door.
Vibe-Coded App Hardening Kit
$79The depth library this gate points you toward — antipattern catalog, layered checklist, monitoring template.
ViewMCP Server & Connector Builder Kit
$99Build MCP servers safe by default, with a Pass/Fix/Block linter that hard-blocks a leaked secret.
ViewAI Agent Go-Live Readiness Gate
$79The operator's go/no-go before flipping an AI agent live — the agent-side sibling to this app-side gate.
ViewThe questions buyers ask first.
Don't let “it works”
be your security review.
Run the gate before you launch. One purchase, lifetime access, 12 months of updates. $79, once.
A readiness aid, not a security audit. It scores the marks you enter for the app you describe — it never scans, connects to, or runs your app, and it scores no person. Pair it with static analysis, a manual review, and (for apps handling payments, regulated, or personal data) qualified security and legal counsel. Not a penetration test and not legal advice.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai