Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Security for vibe-coded apps

Is v0 secure? Keeping a generated Next.js app's secrets in

July 18, 2026·6 min read
A lit window seen from outside in the dark — a generated app whose internals may show more than intended.

v0 turns a prompt into a polished Next.js app, and the output looks production-ready — which is exactly the problem. "Is v0 secure?" comes down to whether the generated app keeps its secrets on the server, and Next.js makes that easy to get subtly wrong.

v0 is a capable tool that writes real Next.js. The gaps aren't in the framework; they're in the seams the generator doesn't always mind — and Next.js has two seams that leak secrets if you cross them.

The NEXT_PUBLIC_ prefix ships to everyone

In Next.js, any environment variable prefixed NEXT_PUBLIC_ is deliberately baked into the client bundle and sent to every visitor's browser. That's correct for a public value like a Supabase anon key. It's a leak the moment a secret ends up behind that prefix.

A secret in a NEXT_PUBLIC_ variable isn't hidden by .env — the prefix tells Next.js to publish it. Secrets take plain, un-prefixed names and are read only on the server. Grep your build for NEXT_PUBLIC_ and make sure nothing sensitive rides along.

The server/client component seam

Next.js splits code into server and client components. Anything in a "use client" component — or imported by one — can end up in the browser bundle. Read a secret there and it ships, even without a NEXT_PUBLIC_ prefix.

Secrets belong in server components, route handlers, and server actions, where the code runs on your machine and only the result crosses to the client. A generator focused on making the UI work doesn't always keep that line clean — it's the first thing to check.

Route handlers still need their own auth

A slick UI can hide an action from users who shouldn't see it, but the route handler behind it is still a public endpoint. If it doesn't re-check who's calling, anyone can hit it directly and skip the interface. Every server action and route handler re-verifies auth on the server — the UI is not the guard.

And if it wired up Supabase

If your v0 app stores data in Supabase, everything about Row Level Security applies here too — the public anon key is only safe behind real RLS policies. The whole Supabase side is in how to secure a Supabase app.

Audit your v0 app

paste into Claude or ChatGPT
My app was built with v0 (Vercel's v0.dev) and is a Next.js app. Audit it for the security gaps v0-generated Next.js apps commonly ship with, and give me the exact fix for each.

1. Env vars: list every environment variable prefixed with NEXT_PUBLIC_ and confirm NONE of them is actually a secret — because NEXT_PUBLIC_ vars are baked into the client bundle and shipped to every visitor. Flag any secret that's exposed this way.
2. Server vs client components: check whether any secret (API key, database URL, private token) is read inside a "use client" component or otherwise reaches client-side code. Secrets must only be used in server components, route handlers, or server actions.
3. If it uses Supabase: is Row Level Security enabled on every table, with policies that actually restrict rows to the owning user — not off, and not an allow-everyone policy?
4. Route handlers / server actions: does each one re-check auth and authorization on the server, rather than trusting that the UI wouldn't have shown the action?

For each finding, give me the file, the risk in one sentence, and the exact code fix.

This is the v0-specific cut of the pattern behind every AI-built app — the cross-cutting version is vibe coding security risks, and the general exposed-key case is my API key is showing on my website.

Check the outside view too

free tool · no loginSecurity headers checkScan your v0 app's live URL for the security headers a generator leaves unset — clickjacking, sniffing, and downgrade protection. No login.

Keep the secrets server-side. Then watch the live app.

The audit above secures your v0 app now. Tell Me When Down watches it after — SSL that lapses, a URL that starts erroring, a site that goes down — free, no card, so a quiet change doesn't become a public one.

Watch my appfree · no card required
more on security for vibe-coded apps
How to secure a Supabase app: the five settings that matterA Supabase app can be wide open, almost always for the same handful of reasons: RLS off, the service_role key in the browser, public buckets, unguarded functions, secrets in the bundle. Here's the map to closing each one.Is my Supabase database public? RLS, and how to checkYour Supabase anon key is public by design — safe only if RLS is on with a real policy. Tables made outside the Table Editor ship with it off, and USING(true) is still open. Here's how to check if your data is public.My API key is showing on my website — is that bad?An API key visible in your frontend is a shrug or an emergency depending on which kind it is. Public keys (anon, pk_, Maps) are meant to be seen; secret keys are compromised the instant they ship. How to tell, and what to do.Is my app built with AI safe? A non-developer's checkYou built an app with AI, it works, and you're quietly worried it's not safe — but you can't read code. Here are the four plain-English questions that matter, and how to check each one without being a developer.Is Lovable secure? The one setting that decides itA Lovable app can be wide open, and the difference is one setting most builders never touch. The anon-key/RLS model, the gap behind a 2025 CVE, and how to check yours.Is Bolt.new secure? What the generated app leaves openBolt.new builds a working full-stack app fast — which is why the security gets skipped. The usual gaps: a Supabase database with RLS off, secrets in the bundle, UI-only authorization. Here's how to audit yours.Vibe coding security risks: the checklist nobody runsThe appeal of vibe coding is that you don't read every line — which is exactly why the holes get through. Exposed secrets, a database anyone can read, rules enforced only in the UI, and how to close each one.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com