I Audited 20 AI-Built Apps: Every Security Issue I Keep Finding.

Direct Answer

The most common AI-built app security issues are exposed API keys, missing server-side authorization, unsafe database rules, weak CORS, unvalidated inputs, no rate limiting, and no production monitoring. These problems happen because AI tools optimize for a working demo before they optimize for customer data, abuse resistance, and operational recovery.

The Pattern I See

In AI-built apps, the UI often looks more complete than the system underneath it. The prototype can create an account, submit a form, or show a dashboard, but the security boundary is frequently in the wrong place. If the browser decides who can see or update data, the app is not production ready.

Lovable, Bolt, Cursor, v0, and similar tools are useful accelerators. The risk appears when founders assume generated code has already handled threat modeling, least privilege, row-level security, webhook verification, and deployment hygiene. Those are production engineering concerns, not demo concerns.

The Issues To Check First

• API keys or service-role tokens exposed in client-side JavaScript.
• Routes that trust hidden UI buttons instead of server-side auth checks.
• Supabase or Firebase rules that allow broad reads or writes.
• Webhooks without signature verification.
• Forms and API routes with no input validation.
• Expensive endpoints without rate limiting.
• Missing logs, alerts, or error tracking.

How To Fix The Highest-Risk Issues

Move secrets into environment variables and rotate anything that was exposed. Add server-side auth middleware on every route that reads or mutates private data. Review database rules from the perspective of a malicious logged-in user, not from the perspective of the happy path. Add validation schemas around incoming data and verify third-party webhooks before trusting them.

Production Checklist

• Rotate exposed credentials.
• Enforce auth on the server.
• Lock database access by user and role.
• Validate all user-controlled input.
• Verify payment, auth, and integration webhooks.
• Add Sentry or equivalent error monitoring.
• Add uptime checks and a rollback plan.

The main point: an AI-built app can absolutely become production ready, but it needs a security pass before real users, payments, or customer data are involved.