How to Secure Your AI-Built App: A Step-by-Step Guide for Non-Security Engineers

You are not a security engineer. You used Cursor, Lovable, Bolt, or v0 to build an app, and now real users are signing up. You have heard that AI-generated code has vulnerabilities, but you do not know where to start fixing them. This guide walks you through the entire process, step by step, in plain language.

We have helped thousands of vibe-coded apps go from hackable to hardened. The process takes most people 2-4 hours. The hardest part is the first scan — after that, every fix is specific and actionable.

Step 1: Find Out What Is Actually Wrong

Before you fix anything, you need to know what is broken. Do not guess. Do not start adding random security headers because a blog told you to. Scan your live URL and get a specific list of findings.

Run a free scan on VibeArmor. Enter your deployed URL (not localhost). In about 3 minutes, you will get a security grade and a prioritized list of findings organized by severity.

What the grades mean:

• A+ to A-: No exploitable vulnerabilities found. Your defenses are solid. Minor improvements possible.
• B+ to B-: No critical issues, but defense gaps exist. Missing headers, no rate limiting, loose CORS. Fix these when you can.
• C+ to C-: One or more significant security gaps. Probably missing authentication on some routes or broken access control.
• D to F: Exploitable vulnerabilities confirmed. Exposed secrets, broken RLS, or unprotected admin endpoints. Fix these before taking any more users.

Most AI-built apps score D or F on their first scan. That is normal. It does not mean your app is doomed — it means you have work to do.

Step 2: Fix the Critical Issues First (Tier 1)

Your scan results are organized into three tiers. Tier 1 findings mean someone can steal data right now. These are your only priority until they are all fixed.

Exposed Secrets

If the scan found API keys in your client bundle, this is your first fix. Open your .env.local file and check every variable. If it starts with NEXT_PUBLIC_, it is visible to every visitor.

Safe to expose: Supabase anon key, Supabase project URL, publishable Stripe key (pk_live_).

Must be server-only: Supabase service_role key, Stripe secret key (sk_live_), OpenAI API key, any key that grants write access or costs money.

Move server-only keys to environment variables without the NEXT_PUBLIC_ prefix. Then create API routes that use these keys server-side. Your frontend calls your API route, not the external service directly.

After fixing: Rotate every key that was exposed. Go to each service's dashboard and generate new keys. The old keys should be considered compromised — if your app has been live, someone may have already found them.

Broken Row Level Security

If you use Supabase, check whether RLS is enabled and correctly configured on every table. The three most common RLS mistakes are: USING(true) policies that grant access to everyone, UPDATE policies without WITH CHECK that allow privilege escalation, and RLS enabled with zero policies.

Quick test: Open your browser console on your live site and run:

const { data } = await supabase.from('your_table').select('*')
console.log(data?.length, 'rows returned')

If this returns rows belonging to other users, your RLS is not protecting you.

Unprotected Admin Routes

Open an incognito browser window and try to access your admin pages. If /admin, /dashboard, or any /api/admin/* endpoints load without authentication, they are accessible to anyone.

Fix for Next.js: Create a middleware.ts file at your project root that checks for a valid session before allowing access to protected routes.

Step 3: Strengthen Your Defenses (Tier 2)

Once all Tier 1 issues are fixed, move to Tier 2. These are real security gaps that make attacks easier, even if they do not prove someone can steal data right now.

Add Content-Security-Policy

Without CSP, any XSS vulnerability becomes an instant data exfiltration channel. Adding CSP is one configuration change in next.config.ts. Start permissive and tighten as needed. A loose CSP is infinitely better than none.

Add Rate Limiting

Your login endpoint, signup endpoint, and any route that calls a paid API (OpenAI, Stripe) should have rate limiting. Without it, an attacker can brute-force passwords or run up your API bill. Upstash provides a drop-in solution that works on Vercel with zero infrastructure.

Recommended limits: 5 attempts per minute on login. 10 per minute on signup. 60 per minute on general API routes. Adjust based on your actual usage.

Restrict CORS

If your API returns Access-Control-Allow-Origin: *, any website can make authenticated requests to your API. Restrict CORS to your own domain unless you are intentionally building a public API. See the exact code snippet in our fixes guide.

Secure Your Cookies

Session cookies should have three flags: HttpOnly (prevents JavaScript from reading them), Secure (only sent over HTTPS), and SameSite=Lax (prevents CSRF). If you are using Supabase Auth, most of this is handled automatically. If you are managing sessions yourself, check each flag.

Stop Leaking Error Details

AI-generated code often returns full stack traces in error responses. These reveal your file structure, database schema, library versions, and internal logic. In production, return generic error messages and log the details server-side.

Step 4: Re-Scan and Verify

After applying your fixes, deploy to your production URL and run the scan again. Do not test locally — many security issues only manifest in the deployed environment (HTTPS configuration, production headers, actual environment variables).

Compare your new grade to the original. Most apps jump from F to B or higher after fixing Tier 1 issues and adding CSP + rate limiting. If specific findings persist, each one includes a detailed fix prompt you can paste directly into Cursor or your AI tool of choice.

Step 5: Set Up Continuous Monitoring

Security is not a one-time fix. Every time you prompt your AI tool to add a new feature, it can reintroduce vulnerabilities you already fixed. The AI does not remember your security context between conversations.

What continuous monitoring looks like:

• Scan after every significant deploy (new features, new API routes, database changes)
• Enable weekly auto-scans so regressions are caught even if you forget to scan manually
• Review your scan history to track whether your security posture is improving or degrading over time

VibeArmor's Continuous plan ($999/month) includes weekly auto-scans across up to 5 apps with 24-hour critical alerts and a monthly summary call.

Step 6: Advanced Hardening (When You Are Ready)

Once you are scoring A or above, consider these advanced measures:

Webhook Signature Verification

If your app processes Stripe webhooks, Supabase webhooks, or any external event, verify the signature. Without verification, anyone can POST fake events to your webhook endpoint. Stripe provides stripe.webhooks.constructEvent() for this purpose.

Input Validation Schema

Use a library like Zod to define schemas for every API route's input. This catches malformed data before it reaches your database and prevents entire categories of injection attacks. AI tools know Zod well — ask your AI to "add Zod validation to all my API routes" and review what it produces.

Dependency Auditing

Run npm audit regularly and keep your dependencies updated. AI tools install packages based on their training data, which may include outdated or vulnerable versions. Set up Dependabot or Snyk for automated vulnerability alerts on your GitHub repository.

Security Headers Deep Dive

Beyond CSP, consider adding: Permissions-Policy to restrict browser features, Referrer-Policy to control what URLs are shared with third parties, and Strict-Transport-Security to enforce HTTPS. These are Tier 2 and 3 measures — nice to have, but not urgent if your Tier 1 is clean.

How Long Does This Take?

First scan: 3 minutes.

Fixing Tier 1 criticals: 30-60 minutes for most apps (move secrets, fix RLS, protect admin routes).

Fixing Tier 2 issues: 1-2 hours (add CSP, rate limiting, CORS, cookie flags).

Re-scan and verify: 3 minutes.

Total: Most apps go from F to A in a single afternoon. The 15-item checklist is a good companion to work through alongside your scan results.

When to Hire a Security Professional

Self-service scanning and this guide handle the vast majority of security issues in AI-built apps. Consider hiring a professional pentester or using our Pentest service if:

• Your app handles financial transactions, health data, or other regulated information
• You need a formal pentest report for SOC 2, HIPAA, or PCI compliance
• You are preparing for a fundraise or acquisition and need third-party security validation
• Your scan reveals complex findings you do not understand or cannot fix yourself

For most vibe-coded apps in early stages, automated scanning plus this step-by-step guide is sufficient. Security professionals become valuable when compliance or complexity demands human judgment.

Frequently Asked Questions

I used Lovable/Bolt/v0 and cannot access my code directly. How do I fix vulnerabilities?

Most no-code and low-code platforms allow you to export your code or configure environment variables through their dashboard. For Lovable specifically, you can edit code in the built-in editor. For platform-specific security settings (like Supabase RLS), you configure those in the Supabase dashboard directly, regardless of which frontend tool you used.

Do I need to understand code to secure my app?

For Tier 1 fixes (exposed secrets, RLS), you need basic ability to edit environment variables and run SQL in the Supabase dashboard. For Tier 2 fixes, copy-paste code snippets work for most configurations. If you are truly non-technical, our Pentest service handles everything for you.

My app is not live yet. Should I wait to secure it?

No. Security issues are easier and cheaper to fix before launch. Once real user data is in your database, an exposed secret means a real data breach, not just a test failure. Scan during development, fix before launch.

How much does it cost to secure an AI-built app?

The scan itself is free. Most fixes require zero additional services — they are configuration changes and code adjustments. If you need rate limiting, Upstash has a free tier. CSP and CORS are free configuration. The only cost is your time, and for most apps that is 2-4 hours. See our breakdown of what security audits cost for a detailed comparison.