Is Your AI-Built App Safe to Launch?
Security checklist for apps built with Lovable, Bolt, Base44, and Manus. 67 out of 100 AI-generated apps had at least one critical vulnerability. Here's what to check before you go live.
You built your app with an AI builder — Lovable, Bolt, Base44, or Manus. It works. You've tested it. You're ready to launch. Before you do: a security audit of 100 AI-generated application repositories found that 67 had at least one critical vulnerability. 45% had hardcoded secrets. 38% had missing authentication on sensitive routes.
This is not a knock on these tools. They are genuinely useful for building and validating ideas fast. But they are optimized for speed and prototyping, not security. The gap between "working prototype" and "safe for real users" is the same gap every time, and it needs to be closed before you go live.
The numbers
67 out of 100
AI-generated app repos had at least one critical vulnerability
89%
of Lovable apps were missing Supabase Row-Level Security
45%
had hardcoded secrets (API keys, JWT secrets, database URLs)
38%
had missing authentication on sensitive API routes
10.3%
of Lovable apps had documented data-exposure vulnerabilities (May 2025 audit)
$3K–$15K
founders spending in credits trying to fix security issues AI-generated code introduced
Platform-Specific Security Checklists
Each AI builder has its own architecture, its own defaults, and its own specific security gaps. If you know which platform you used, go to the dedicated checklist for the most precise guidance:
Is Your Lovable App Safe to Launch?
89% of Lovable apps missing RLS. VibeScamming vulnerability. GitHub history secrets.
Read the checklist →
Is Your Bolt App Safe to Launch?
Unauthenticated API routes. NEXT_PUBLIC_ secret exposure. Token cost trap for late fixes.
Read the checklist →
Is Your Base44 App Safe to Launch?
Wix infrastructure data risk. Missing RLS on server actions. Platform outage exposure.
Read the checklist →
Is Your Manus App Safe to Launch?
Sandbox-specific dependencies. Hardcoded credentials. No real auth system.
Read the checklist →
The Universal Security Checklist (All Platforms)
Regardless of which AI builder you used, these five gaps appear in virtually every AI-generated codebase. This is your minimum bar before going live with any app that handles real user data.
01. Authentication on every data route
CriticalEvery API route or server function that reads, writes, or deletes user data must verify that the caller is authenticated — on the server. UI-level guards are not security.
How to test:
Send a direct request to each of your data API routes with no auth header. If you receive data or a successful operation, the route is unprotected.
02. Authorization: users can only access their own data
CriticalAuthentication checks if you're logged in. Authorization checks if you're allowed to touch this specific record. Create two test accounts, create data with one, and attempt to access it from the other using its ID.
How to test:
Note every resource that has an ID in the URL or request body. For each one: does the server verify the requesting user owns it?
03. No secrets in source code or git history
CriticalAny API key, database credential, or secret that has ever appeared in source code — even temporarily, even in a private repo — should be treated as compromised. Rotate it immediately and audit the full git history.
How to test:
Search your codebase and git history for: sk-, pk-, service_role, DATABASE_URL, OPENAI_API_KEY, and any string ending in _SECRET.
04. Database-level access controls
CriticalApplication code that enforces user scoping is not enough. Database-level rules (Supabase RLS policies, Postgres row security, or equivalent) ensure that even if the application code has a bug, the database does not serve data it should not.
How to test:
Check your database provider's security settings. For Supabase: verify RLS is enabled on every table that stores user data and that policies restrict access appropriately.
05. Input validation on the server
HighClient-side validation can be bypassed by anyone with basic technical knowledge. Server-side validation must check that inputs are the right type, within expected bounds, and free of injection patterns before being stored or processed.
How to test:
Send requests directly to your API routes (bypassing the UI) with empty strings, very long values, and special characters like < > & ' ". Observe what gets stored.
What to Do When You Find Issues
Not all issues are equal — here is how to prioritize:
When to Get a Professional Security Assessment
A DIY checklist is the right starting point. For any of the following, a professional review before launch is worth more than the time it takes:
- → Your app handles real personal data (names, emails, addresses, health info)
- → There are payments or financial transactions in the flow
- → Multiple users need access control (one user must not see another's data)
- → You are targeting enterprise customers or regulated industries
- → You plan to run paid marketing to the app — a security incident early is existential
Get a Free Security Assessment Before You Launch
ShipAi reviews AI-built apps across all four platforms. We check every gap in this list, give you a written report with severity ratings, and tell you exactly what needs to be fixed before your first real user. No sales pressure — just an honest audit.
Full Code Review
Auth, authorization, secrets, validation — every gap documented
Written Report
Severity by issue, fix recommendations, and time estimates
Migration Option
If the right answer is migrating to owned infrastructure, we quote it on the spot
Projects start at $5K. Free assessment — no obligation, honest findings.
Book Your Free Security Assessment →Platform-Specific Security Checklists
Is Your Lovable App Safe to Launch?
Lovable-specific: RLS, VibeScamming, GitHub history, Supabase config
Is Your Bolt App Safe to Launch?
Bolt-specific: API routes, NEXT_PUBLIC_ exposure, token cost trap
Is Your Base44 App Safe to Launch?
Base44-specific: Wix infrastructure, server actions, platform risk
Is Your Manus App Safe to Launch?
Manus-specific: sandbox dependencies, hardcoded credentials, no real auth
Ready to Build Your MVP?
Need help turning your idea into reality? Our team has built 50+ successful startup MVPs and knows exactly what it takes to validate your idea quickly and cost-effectively.