Are Your Vibe-Coded Sites Leaking Secrets?
How I Scanned 2,000 Sites Built with Vibe Tools and What I Found
Vibe coding platforms like Lovable, Bolt, and other no-code or low-code tools make it fast and easy to build modern websites.
But that speed comes with a hidden cost—security is often an afterthought.
Curious about how secure these platforms really are, I decided to scan 2,000 vibecoded websites built with them.
What I discovered was shocking: nearly 50% of the sites had sensitive information exposed to the public.
What Is Vibe Coding?
"Vibe coding" is a growing trend where people build websites using stylish, no-code platforms like Lovable, Bolt, or Replit.
These platforms make it easy to build and deploy apps and landing pages using AI-powered builders that often generate React-based apps.
React is one of the most popular frontend technologies today, which makes vibe-coded tools even more accessible to non-technical users.
These platforms emphasize aesthetic and fast deployment over traditional dev pipelines. Most sites are built visually, often with React under the hood and Vite or SWC as the bundler.
.env
variables in the final JS bundle by default.The Plan: Scraping, Scanning, and Searching for Leaks
Collected Domains
Using advanced My Google API with Search Dork queries like site:lovable.app
, I identified subdomains and public pages powered by these platforms.
Scraped HTML & JavaScript Bundles
I built a custom Puppeteer scraper hosted on a serverless endpoint to:
- Load each website’s HTML
- Extract the type="module" JS script source
- Fetch and analyze the contents of the bundled JS
Scanned for Sensitive Patterns
I ran each script through a set of regex-based detectors, looking for:
sk-
style OpenAI keys- Valid JWT tokens
- Firebase configs
- Google API keys
- Mongo/Postgres connection strings
- Hardcoded environment variables
The Results: Security Issues Found on Half of the Sites
Here’s what the scan revealed:
- Total Sites Scanned: 2,000
- Websites with Security Issues: 990
- Total Issues Found: 1,200+
Most Common Issues
- JWT Tokens – 1,120 found
- Google API Keys – 70
- Exposed .env Variables – 10
This means 49.5% of vibe-coded sites had at least one exposed secret, which could be used by attackers or bots.
Why This Matters
When using vibe platforms, your frontend often includes everything needed to render the app—including your secrets—unless you explicitly protect them.
- Exposed API keys can be abused for spam or billing abuse
- Leaked tokens can allow unauthorized access
- Environment variables might reveal internal URLs, admin routes, or even credentials
And yes, most of these leaks are completely avoidable with proper builds and backend separation.
Final Thoughts: Vibe with Caution
If you're building with Lovable, or any similar platform, here’s your checklist:
- ✅ Never include .env variables in your frontend
- ✅ Don’t hardcode API keys in JS files
- ✅ Use serverless functions for anything secret
- ✅ Test your production site as if you were a hacker