What are common security mistakes in Vercel apps?
Get instant answers about your app's security.
Short Answer
The top three security mistakes in Vercel apps are shipping without database access controls, hardcoding secrets in frontend code, and relying on client-side validation without server-side enforcement.
Detailed Answer
These are the five most common security mistakes we find in Vercel apps, along with how to avoid each one:
**1. No Database Access Controls** The most dangerous and most common mistake. Developers create database tables and start building features without enabling Row Level Security or Security Rules. Every query works during development, so the lack of access controls goes unnoticed - until an attacker discovers the open database. **Fix:** Enable access controls on every table immediately after creation, before writing any application code.
**2. Secrets in Frontend Code** API keys, database URLs, and service credentials get hardcoded directly into frontend JavaScript. AI code generators frequently do this because they prioritize getting features working quickly. Once deployed, anyone can extract these secrets from the browser. **Fix:** Use environment variables and ensure sensitive keys are only accessed from server-side code or serverless functions.
**3. Client-Side Only Validation** Input validation and authorization checks exist only in the frontend UI. Attackers bypass the UI entirely and call APIs directly with malicious input. **Fix:** Implement all validation and authorization on the server side. Frontend validation improves UX but provides zero security.
**4. Source Maps in Production** Build tools generate source maps for debugging, and these get deployed to production. Source maps reveal your entire application source code, making it trivial for attackers to find vulnerabilities. **Fix:** Disable source maps in your production build configuration.
**5. Default Authentication Settings** Using default password requirements (often no minimum length), no rate limiting on login attempts, and no email verification. This allows attackers to create fake accounts and brute-force existing ones. **Fix:** Require minimum 8-character passwords, implement rate limiting (5 failed attempts triggers a cooldown), and require email verification before account activation.
VAS checks for all five of these mistakes automatically.
Security Research & Statistics
of Lovable applications (170 out of 1,645) had exposed user data in the CVE-2025-48757 incident
Source: CVE-2025-48757 security advisory
average cost of a data breach in 2023
Source: IBM Cost of a Data Breach Report 2023
developers using vibe coding platforms like Lovable, Bolt, and Replit
Source: Combined platform statistics 2024-2025
Expert Perspectives
“Vibe coding your way to a production codebase is clearly risky. Most of the work we do as software engineers involves evolving existing systems, where the quality and understandability of the underlying code is crucial.”
“The problem with AI-generated code isn't that it doesn't work - it's that it works just well enough to ship, but contains subtle security flaws that are hard to spot.”
Check Your Vercel App's Security
VAS scans for all the security issues mentioned above. Get a comprehensive security report in minutes.
Get Starter ScanMore Questions About This Topic
How common are these security mistakes in Vercel apps?
Extremely common. Based on our scans, the majority of Vercel apps deployed for the first time have at least one of these issues. Database access control problems appear in a significant percentage of apps using Supabase or Firebase. Exposed secrets appear in roughly half of scanned apps. The good news is that awareness is growing, and these are all straightforward to fix once identified.
What are the consequences of these security mistakes?
Consequences range from data exposure to complete application compromise. An unprotected database means all user data (emails, passwords, personal information, payment details) is publicly accessible. Exposed admin API keys can allow attackers to delete data, create admin accounts, or rack up charges on your third-party services. Even "minor" issues like missing security headers can enable cross-site scripting attacks that steal user sessions.
How do I prevent these mistakes when building with Vercel?
Three practices prevent most mistakes: 1) Configure database security before writing features - enable RLS/Security Rules on every table as the first step, 2) Use environment variables from the start - never paste a key directly into code, even "temporarily", 3) Scan before deploying - run a VAS scan before every production deployment. These habits add minimal time to development but prevent the vast majority of security issues.