vibeblame
Guides

Is your AI-generated app safe? Security checklist for Cursor, Claude Code & Codex apps

AI coding tools ship code that leaks secrets, exposes source maps, and skips security headers by default. Here's what to check in apps built with Cursor, Claude Code, or Codex — and how to fix it.

AI coding tools — Cursor, Claude Code, Codex — are great at getting a working app on screen fast. They are not great at security. They optimize for "it runs," not "it's safe to expose to the internet." The result is a predictable set of holes that show up again and again in AI-generated projects.

This is a checklist for exactly that situation: you built (or vibe-coded) an app with an AI tool and you want a sanity check before — or right after — you ship it.

Why AI-generated code leaks secrets

Three reasons, and they compound:

  1. It writes the shortest path that works. Asked to "call the Stripe API," a model will often drop the key straight into a component, because that's the fewest steps to a running demo. It runs. It also ships your secret to every visitor.
  2. It trusts defaults. Build tools generate source maps and skip security headers by default, and the AI rarely overrides those defaults unless you explicitly ask.
  3. It doesn't see your deployment. The model has no idea whether you're on Vercel, a VPS, or behind a CDN — so it can't reason about what's actually exposed in production.

None of this is a reason to avoid AI tools. It's a reason to check the output. Below are the four issues worth checking first.

1. Hardcoded API keys in the frontend

This is the single most common AI-code leak. The model puts a secret key in a React component, a client-side fetch, or a NEXT_PUBLIC_ variable — and now it's in the bundle every visitor downloads.

Search your built output before you trust it:

grep -rE "sk_live_|AIza|ghp_|xoxb-|Bearer " dist .next/static build 2>/dev/null
# Any hit here is a leaked secret — rotate it and move it server-side

If you find one, rotating the key is mandatory — assume it's already compromised. Then move the call to a server route or server action so the key never reaches the browser.

Full fix: /guides/api-key-leaks

2. Source maps shipped by default

Most AI-scaffolded projects build with source maps on. That means your "compiled" app still hands over the original source — component names, logic, comments — to anyone who opens DevTools.

curl -I https://yourapp.com/_next/static/chunks/main.js.map
# 200 = your source code is public. 404 = good.

Full fix: /guides/source-maps-production

3. Missing security headers

An AI rarely adds a Content-Security-Policy or HSTS unless asked. Without them your app is open to XSS injection and clickjacking. Check what you're actually sending:

curl -sI https://yourapp.com | grep -iE "content-security-policy|strict-transport-security|x-frame-options"
# Empty output = no security headers

Full fix: /guides/security-headers

4. Weak or missing TLS

If you deployed to Vercel, Netlify, or Cloudflare Pages, TLS is handled and you can skip this. The risk appears when an AI tool sets you up on a custom server or a bare VPS and never configures HTTPS properly — leaving you on an expired cert, a domain mismatch, or plain HTTP.

echo | openssl s_client -connect yourapp.com:443 -servername yourapp.com 2>/dev/null | openssl x509 -noout -dates

Full fix: /guides/tls-ssl

Notes by tool and platform

  • Cursor / Claude Code / Codex — these edit your real repository. They'll happily inline an API key to make a feature work, because that's the shortest path to "it runs." Review any diff that touches an API call, a fetch, or an env var before you commit it.
  • Your deploy host (Vercel / Netlify / Cloudflare) — TLS and HTTPS are automatic here, so TLS issues are rare. Your real risks are the leaked keys and default source maps that came from the generated code. Security headers still need to be added by you.
  • Any toolNEXT_PUBLIC_ (or VITE_, PUBLIC_) prefixed variables are public by design. Never put a secret behind one, no matter which assistant wrote the line.

How to check your app in 30 seconds

Running every command above by hand is fine, but slow. The faster path: paste your deployed URL into vibeblame. It scans for leaked keys, exposed source maps, missing headers, TLS problems, and SEO gaps at once — then generates a ready-to-paste AI fix prompt describing every issue with your tech stack, so you can hand it straight back to Cursor or Claude and fix it in one go.

← All guidesScan a site
Is your AI-generated app safe? Security checklist for Cursor, Claude Code & Codex apps | vibeblame