Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Security for vibe-coded apps

Is my app built with AI safe? A non-developer's check

July 18, 2026·6 min read
A grand house facade lit at night — an app that looks finished, its doors not yet checked.

You described an app, an AI built it, and it works. Somewhere between the excitement and the launch, a quieter worry set in: you don't actually know if it's safe, and you're not a developer who can just read the code and find out. That worry is reasonable — and it's checkable.

Here's the honest version, in plain language: AI tools are great at making an app work. They're much less careful about who else can get in once it's live. The good news is that the handful of things that usually go wrong are the same every time, and you can check them without writing a line of code.

First, the reassurance

"Built with AI" does not mean "insecure." It means the safety checks nobody prompted for probably didn't happen on their own. A working AI-built app is a house with the lights on — you just haven't confirmed the doors are locked yet. Confirming that is a short list, not a rebuild.

You don't need to understand the code to secure the app. You need to know which four questions to ask, and how to tell a real "yes, it's fine" from a "it works, so I assumed it was fine."

The four questions that matter most

  1. Can strangers read your data? The most common serious gap: the database is readable by anyone, not just logged-in users. If your app uses Supabase, this is the "is my database public?" question, and it has a clear yes/no answer.
  2. Are secret keys visible in the app? Some keys are meant to be public; some are like a password and must never be visible. Telling them apart is the "my key is showing" question.
  3. Can someone skip the buttons? Hiding an admin action in the interface isn't the same as blocking it. If the only thing stopping a normal user from deleting everything is that the button is hidden, that's not locked.
  4. Is anything left over from building? Test pages, admin panels, and setup routes the tool created and never removed can still be live.

How to check without being a developer

You have two doors here, and you don't need code for either.

For the outside-facing stuff — is the connection secure, are the basic protections in place — you can scan your live web address in seconds:

free tool · no loginSecurity headers checkPaste your app's address and see the basic protections that are set or missing — no login, no code, plain results. A 30-second outside check.

For the inside stuff — the database, the keys — the trick is to make the same AI that built your app check its own work, in plain English. Paste this and it'll walk you through each fix step by step:

paste into Claude or ChatGPT
I built an app with an AI tool (like Lovable, Bolt, v0, or Cursor) and I'm not a developer. I'm worried it might not be secure. Check it for me and explain everything in plain English, no jargon — and if you use a technical term, define it in the same sentence.

Please go through these one at a time and, for each, tell me (a) whether my app is affected, (b) how bad it is in plain terms, and (c) exactly what to click or paste to fix it:
1. Can strangers read my database? (If I use Supabase, check that "Row Level Security" is on for every table with a real rule, not off and not "allow everyone".)
2. Are any secret keys or passwords visible in the app's code that people could copy?
3. Can someone do an admin-only action just by calling the address directly, even though the button is hidden?
4. Are there any test or admin pages still live that should've been removed?

Assume I will not understand code — walk me through fixes step by step.

If you built with a specific tool, we go door-by-door for Lovable, Bolt.new, and v0. The full technical version, if you want it, is vibe coding security risks.

After you've checked it

Securing the app is a one-time pass. Keeping it that way is the part people forget — a certificate quietly expires, the site goes down while you're asleep, an address stops responding. You don't want to learn any of that from a user.

That's the whole idea behind watching an app from outside: it tells you the moment something changes, in plain terms, so a non-technical founder isn't the last to know their own app is down.

You checked it once. Now let something watch it for you.

Join Tell Me When Down free and we'll keep an eye on your AI-built app around the clock — if it goes down, its certificate lapses, or a page stops responding, you get a plain-English email in minutes. No card, no code.

Watch my appfree · no card required
more on security for vibe-coded apps
How to secure a Supabase app: the five settings that matterA Supabase app can be wide open, almost always for the same handful of reasons: RLS off, the service_role key in the browser, public buckets, unguarded functions, secrets in the bundle. Here's the map to closing each one.Is my Supabase database public? RLS, and how to checkYour Supabase anon key is public by design — safe only if RLS is on with a real policy. Tables made outside the Table Editor ship with it off, and USING(true) is still open. Here's how to check if your data is public.My API key is showing on my website — is that bad?An API key visible in your frontend is a shrug or an emergency depending on which kind it is. Public keys (anon, pk_, Maps) are meant to be seen; secret keys are compromised the instant they ship. How to tell, and what to do.Is Lovable secure? The one setting that decides itA Lovable app can be wide open, and the difference is one setting most builders never touch. The anon-key/RLS model, the gap behind a 2025 CVE, and how to check yours.Is Bolt.new secure? What the generated app leaves openBolt.new builds a working full-stack app fast — which is why the security gets skipped. The usual gaps: a Supabase database with RLS off, secrets in the bundle, UI-only authorization. Here's how to audit yours.Is v0 secure? Keeping a generated Next.js app's secrets inv0's Next.js output looks production-ready, which is the trap. NEXT_PUBLIC_ bakes a var into the bundle, and a secret in a client component ships to the browser. Here's how to check a v0 app keeps its secrets in.Vibe coding security risks: the checklist nobody runsThe appeal of vibe coding is that you don't read every line — which is exactly why the holes get through. Exposed secrets, a database anyone can read, rules enforced only in the UI, and how to close each one.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com