Blog
Working ≠ Safe
Real security gaps in AI-generated code — what they are, why they pass every test, and the one-line fixes.
Your secret API key is in your frontend. Press F12.
AI ships your AI, payment, or service-role key to the browser via NEXT_PUBLIC_. Anyone can read it in seconds. Why it happens and the one-line fix.
Read more →
How users give themselves a free paid plan in one request
AI saves the whole request body, so a user can add is_premium or role:admin and grant it to themselves. No payment, no permission. The one-line fix.
Read more →
Your Supabase login is decoration if RLS is off
AI leaves Row Level Security off, so the public anon key in your frontend can read and write your entire database from the browser. How to check and fix it.
Read more →
The one line of AI-generated code that leaks every user's data
AI builds a login that works — then lets any user read everyone else's data by changing one number. Why it passes every test, and the one-line fix.
Read more →
The fake webhook that hands out free premium
AI wires up Stripe but skips signature verification, so anyone can POST a fake 'paid' event and unlock premium for free. Here's the one-line fix.
Read more →