← All posts
April 20, 2026

Protect Your Vibes is live

Six months ago, we shipped an app on Lovable in a weekend. It had users, it had a Stripe integration, it felt real. Two weeks later someone DM'd us a screenshot of our entire users table — emails, names, every row — pulled straight from our Supabase URL with the anon key that was sitting in our JS bundle. 3,400 rows. Public.

We weren't doing anything weird. We followed the tutorial. The tutorial didn't mention RLS. Neither did the AI that wrote the code.

That was the moment we realized there are hundreds of thousands of apps like ours. Built fast, shipped proud, one misconfigured policy away from a headline.

What Protect Your Vibes does

Paste a URL. Thirty seconds later you get a plain-English report of what's leaking from the public side of your app. We scan for the things that actually kill vibe-coded apps:

  • Exposed Supabase / Firebase / PocketBase / Base44 databases with RLS misconfigured or collection rules set to read: true
  • Stripe, OpenAI, Anthropic, AWS keys pasted into client bundles
  • GraphQL introspection that lists every query and mutation to anyone who asks
  • Open CORS, missing CSP, weak cookies, dangling DNS — the boring stuff that compounds
  • 40+ platform-specific detectors because every no-code tool leaks in its own special way

For each finding you get the real evidence — the actual key, the actual row we pulled, the actual URL — plus an attack walkthrough so you understand what someone could do with it, plus copy-paste fix instructions that target your provider's dashboard, not your AI chat.

Who it's for

Anyone who ships software they didn't fully write themselves. Lovable makers. Bolt builders. Base44 creators. Replit Agent users. Cursor-first devs. Anyone who pasted a Supabase URL into a .env and isn't sure what RLS is supposed to look like.

It's also for the senior engineers watching their teammates ship AI-generated code — we give you a one-click report you can send back with "please fix these before we merge."

The ethics guarantee

Most security scanners are rude. They probe endpoints, try credentials, create fake accounts, send junk payloads — because the fastest scan is the one that assumes it has permission.

We don't. Our scanner is built around a three-tier consent system:

1. Passive — the default for anonymous scans. GET requests to the URL you gave us and the JS files that page loads. That's it. No endpoint guessing, no signup attempts, no write probes, no injection payloads, ever. You can scan any site safely because the scanner literally cannot misbehave. 2. Owner-verified — once you prove you own the domain (DNS TXT, file upload, or meta tag), we unlock endpoint enumeration, GraphQL introspection, and up to 3 sample rows per finding as evidence. Still no writes, still no fake accounts. 3. Premium-authorized — reserved for paid + verified + explicit consent. Live credential verification, dynamic runtime scans. You have to actively opt in, per scan.

We also banned entire categories of probe from ever living in the codebase — no write probe to any database, no account creation, no brute force, no injection payloads. Not gated behind a flag. Just gone. The full policy is on the ethics page.

The roadmap

The scanner is free forever for passive scans. Pro ($9.99/mo) unlocks verified-ownership scans, continuous monitoring with email alerts, weekly digests, compliance reports, and a public API. Team is coming for orgs that need seats, SSO, and GitHub PR comments.

Next up: better fix-verification loops, a GitHub app that comments on PRs that introduce new findings, and a public threat feed showing the aggregate vulnerability landscape across vibe-coded apps (fully anonymized, no domains).

If you shipped an app this year, run a scan. It takes thirty seconds and it's free. If it finds nothing, great — tell a friend who built something in Lovable last month to run one too. If it finds something, we'll tell you exactly how to fix it, and we'll tell you the provider's dashboard URL to rotate the key, because rotating a secret by pasting it into an AI chat is how you end up in a second newsletter.

Scan your app: protectyourvibes.ai