{"slug": "you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably", "title": "You built an app with AI this weekend. Here are the security holes it probably has.", "summary": "A developer warns that apps built quickly with AI assistance often contain security holes because developers rarely review AI-generated code. The most common issues include hardcoded secrets in git history, missing authentication on data routes, and overly permissive storage or database settings. The developer recommends a 15-minute checklist to catch these vulnerabilities before shipping.", "body_md": "You had an idea on Friday. By Sunday you had a working app. The AI wrote most of the code, you wired it together, and it just worked.\n\nHere is the part nobody says out loud: you did not read every line the AI wrote. Almost nobody does. That is fine, it is how building works now. But it means there are probably a few security holes sitting in your app that you cannot see, because you never looked at the code that made them.\n\nThe good news: the most common holes in AI-built apps are a short, predictable list. You can check for them in about 15 minutes. Here are the three that cause the most real trouble, in plain terms.\n\nAI assistants love to put your API key or database password right in the code to make things work. It runs great. The problem shows up later: that secret ends up in your git history, and public repos get scanned by bots within minutes of going up.\n\nDeleting the line does not fix it. The secret still lives in your past commits. Anyone who clones the repo can read it.\n\n**How to check:** search your code for anything that looks like a key or password. If you find one, or if one was ever committed, rotate it now (create a new one, revoke the old), then move secrets into environment variables instead of the code.\n\nWhen the AI builds a route that returns data, it often does not add a check for who is asking. It works in testing because you are the only user. Then it ships, and anyone who finds the URL can pull the data.\n\n**How to check:** for every route that returns user or account data, confirm there is a login or permission check in front of it. If a route hands back private data to anyone who asks, that is the first thing to fix.\n\nStorage buckets, databases, and file uploads often start with a default that is more open than you meant. The AI picks a setting that works, not the one that is safe. So your uploads or your database might be readable by the whole internet without you knowing.\n\n**How to check:** look at your storage and database settings. Anything holding real user data should be private by default, with access granted on purpose, not by accident.\n\nBefore you put your app in front of real people, run this list:\n\nThat covers the large majority of real incidents in fast-built apps.\n\nYou do not have to eyeball all of this. An independent scan can run the whole checklist and hand you the exact fixes, so you can ship with confidence instead of a nagging worry. That is the problem we built RepoFortify to solve, and it plugs into Claude Code, Cursor, and Windsurf so the fixes show up right where you are already working. But even if you never use a tool, the checklist above will catch most of what matters.\n\nShip fast. Just do the 15-minute check first.\n\n[https://repofortify.com/mcp?utm_source=devto&utm_medium=content&utm_campaign=vibe-security](https://repofortify.com/mcp?utm_source=devto&utm_medium=content&utm_campaign=vibe-security)", "url": "https://wpnews.pro/news/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably", "canonical_source": "https://dev.to/sstart/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably-has-ape", "published_at": "2026-07-12 00:13:52+00:00", "updated_at": "2026-07-12 00:43:38.083139+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools", "ai-tools"], "entities": ["RepoFortify", "Claude Code", "Cursor", "Windsurf"], "alternates": {"html": "https://wpnews.pro/news/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably", "markdown": "https://wpnews.pro/news/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably.md", "text": "https://wpnews.pro/news/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably.txt", "jsonld": "https://wpnews.pro/news/you-built-an-app-with-ai-this-weekend-here-are-the-security-holes-it-probably.jsonld"}}