Skip to content
2026-06-21 · 8 min read

The 7 security holes in AI-generated apps (and how to fix them)

AI app builders are extraordinary at speed. They are not yet good at security — and they don't tell you that. In one 2026 mass scan by Escape.tech, 91.5% of AI-generated apps had at least one vulnerability. The failures rhyme: the same seven gaps appear again and again, because the model optimizes for a working demo, not a hardened production app. Here's each one, why it happens, and how to fix it.

1. Exposed secrets in the client bundle

API keys, tokens, and especially Supabase service_role keys get used in front-end code, where anyone can read them from the network tab. Move every secret server-side; the browser should never see an admin key. Rotate anything that has already shipped.

2. Missing Row-Level Security (RLS)

On Supabase/Postgres, tables without RLS are readable and writable by anyone holding the anon key — which is public by design. Enable RLS on every table and write per-user policies. Without it, your 'private' data isn't.

3. Auth-less endpoints and server actions

Generated API routes, edge functions, and server actions frequently skip authentication and authorization. Default-deny: require a valid session on every non-public endpoint, and check that the caller is allowed to do the specific thing they're asking.

4. A publicly downloadable .env

Some default deployments leave .env (and .git) reachable over HTTP, handing attackers every secret at once. Make sure sensitive files aren't served, and rotate any secret that was ever public.

5. Missing security headers

No Content-Security-Policy, HSTS, or clickjacking protection means XSS and framing attacks land easily. Set CSP, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options, plus Secure + HttpOnly + SameSite cookies.

6. No input validation

Generated handlers tend to trust input, opening SQL injection, XSS, and SSRF. Validate at every boundary with a schema library, and use parameterized queries — never string-concatenated SQL.

7. No rate limiting

Public endpoints without throttling get scraped, abused, and run up your bill. Add per-IP and per-user rate limits, and lock auth endpoints after repeated failures.

How to find and fix them fast

You can check most of these on a live app in seconds without touching code: a URL scan reveals exposed secrets, a public .env, and missing headers. Opviva does that free — talk to it, it scans, grades your app 0–100, and proves what's actually exploitable before it touches anything. On a plan it opens reviewed pull requests that fix the issues for you, and keeps watching after you ship. They build it; we keep it alive.

Scan your app — free

Grade your live app 0–100 in seconds. No signup.

Scan my app free