Security for Vibe-Coded Internal Tools

Internal tools and admin dashboards often receive less security attention because they're "not public." But they typically have the highest-privilege access to your data, making them prime targets.

Scan Your App Now

Get security coverage specific to your use case.

Why Security Matters for Internal Tools

Internal tools are often the keys to the kingdom. They have admin-level database access, can modify user accounts, process refunds, and view all customer data. A compromised internal tool is often worse than a compromised public-facing app. Developers frequently skip security for internal tools, reasoning that only trusted employees use them. But attackers target internal tools specifically because of this lax security — through phishing, credential stuffing, or exploiting exposed admin endpoints.

Security Risks

Publicly accessible admin endpoints

critical

Admin dashboards deployed to public URLs without authentication, discoverable by scanners.

Mitigation

Add authentication to all admin routes. Consider IP allowlisting or VPN requirements. Never rely on "security through obscurity."

Overprivileged database access

high

Internal tools using service_role keys that bypass all RLS, giving any authenticated admin user full database access.

Mitigation

Use scoped API keys. Implement application-level authorization even for admin users. Log all database operations.

No audit trail

medium

Admin actions not logged, making it impossible to detect misuse or investigate incidents.

Mitigation

Log all admin actions: who did what, when, to which record. Store logs in a separate, append-only location.

Security Checklist

Authentication requiredMust Have

Every admin page and API endpoint requires authenticated access.

Role-based admin permissionsMust Have

Different admin roles (support, billing, superadmin) with scoped access to relevant features only.

Audit logging for all actionsShould Have

Track all admin operations with user, action, timestamp, and affected records.

Network restrictionsShould Have

Restrict admin access to VPN, specific IPs, or require additional MFA step.

Least-privilege database accessShould Have

Admin tools use scoped database credentials, not service_role or root access.

Session timeoutNice to Have

Admin sessions expire after shorter inactivity periods than regular user sessions.

Real-World Scenario

A startup builds an admin dashboard using Bolt to manage their SaaS customers. The dashboard uses the Supabase service_role key to bypass RLS for "convenience." They deploy it to a subdomain admin.example.com without any additional access controls beyond login. An attacker phishes an employee's credentials, logs into the admin panel, and exports the entire customer database including payment info.

Frequently Asked Questions

Is it safe to use service_role keys in internal tools?

Avoid it. Service_role bypasses all RLS, so any vulnerability in your admin tool gives attackers full database access. Instead, use a custom role with specific permissions, or use RLS with an admin policy.

Do internal tools need security headers?

Yes. Clickjacking an admin tool is a common attack vector. Set X-Frame-Options: DENY, CSP, and other security headers on all admin pages.

Should admin tools be on a separate domain?

Ideally yes. A separate domain or subdomain with additional access controls (VPN, IP allowlist) reduces the attack surface. At minimum, put admin routes behind authentication middleware.

Security for Other Use Cases

Data Analytics Dashboards SaaS Applications Customer Portals

Secure Your Internal Tools

VAS automatically scans for the security risks specific to internal tools. Get actionable results with step-by-step fixes tailored to your stack.

Scans from $5, results in minutes.

Get Starter Scan View Pricing