u/YourTurnSignals

I've been a software engineering manager for 11+ years. Over the past few months, I started reviewing vibe-coded apps out of curiosity, and the same issues keep showing up regardless of the stack. Here's what I found in every single one:

1. Auth tokens committed to the repo

Environment variables with Supabase keys, OpenAI keys, or Stripe secrets sitting in .env files that got pushed. One leaked key and you're looking at your entire database exposed or a surprise $3,000 API bill.

2. RLS misconfigured on at least one table

Supabase Row Level Security is turned on, but at least one table has a policy that's too broad or missing entirely. The app works fine until someone figures out they can read another user's data.

3. No rate limiting on any endpoint

Every API route is wide open. A single script running in a loop can take the whole thing down or run up your cloud bill in minutes.

4. No error handling past the happy path

The AI writes code that works when everything goes right. When a third-party API times out or a database write fails, there's nothing catching it. It just fails silently.

5. N+1 queries and wildly inefficient database access

The app works fine with 10 users, then completely falls over at 1,000. AI-generated code often fetches related data inside loops, makes repeated database calls for every render, or skips indexing entirely. You end up with pages making hundreds of unnecessary queries and response times exploding under load.

6. No authorization checks beyond login

A lot of vibe-coded apps correctly check “is the user logged in?” but never check “should this user be allowed to do this action?” Users can often modify IDs in requests and access admin functions, other users’ records, or paid features because ownership and role checks were never implemented properly.

None of these are hard to fix once you know they're there. The problem is they're invisible until something breaks in front of your users. Auditing your code on QodeShark (My team and I built it) or Qodo before launching might be a good idea.

Happy to answer questions if any of this is useful.

I've been a software engineering manager for 11+ years. Over the past few months, I started reviewing vibe-coded apps out of curiosity, and the same issues keep showing up regardless of the stack.

Here's what I found in every single one:

1. Auth tokens committed to the repo

Environment variables with Supabase keys, OpenAI keys, or Stripe secrets sitting in .env files that got pushed. One leaked key and you're looking at your entire database exposed or a surprise $3,000 API bill.

2. RLS misconfigured on at least one table

Supabase Row Level Security is turned on, but at least one table has a policy that's too broad or missing entirely. The app works fine until someone figures out they can read another user's data.

3. No rate limiting on any endpoint

Every API route is wide open. A single script running in a loop can take the whole thing down or run up your cloud bill in minutes.

4. No error handling past the happy path

The AI writes code that works when everything goes right. When a third-party API times out or a database write fails, there's nothing catching it. It just fails silently.

5. N+1 queries and wildly inefficient database access

The app works fine with 10 users, then completely falls over at 1,000. AI-generated code often fetches related data inside loops, makes repeated database calls for every render, or skips indexing entirely. You end up with pages making hundreds of unnecessary queries and response times exploding under load.

6. No authorization checks beyond login

A lot of vibe-coded apps correctly check “is the user logged in?” but never check “should this user be allowed to do this action?” Users can often modify IDs in requests and access admin functions, other users’ records, or paid features because ownership and role checks were never implemented properly.

None of these are hard to fix once you know they're there. The problem is they're invisible until something breaks in front of your users. Auditing your code on QodeShark (My team and I built it) or Qodo before launching might be a good idea.

Happy to answer questions if any of this is useful.

I've been a software engineering manager for 11+ years. Over the past few months, I started reviewing vibe-coded apps out of curiosity, and the same issues keep showing up regardless of the stack. Here's what I found in every single one:

1: Auth tokens committed to the repo

Environment variables with Supabase keys, OpenAI keys, or Stripe secrets sitting in .env files that got pushed. One leaked key and you're looking at your entire database exposed or a surprise $3,000 API bill.

2: RLS misconfigured on at least one table

Supabase Row Level Security is turned on, but at least one table has a policy that's too broad or missing entirely. The app works fine until someone figures out they can read another user's data.

3: No rate limiting on any endpoint

Every API route is wide open. A single script running in a loop can take the whole thing down or run up your cloud bill in minutes.

4: No error handling past the happy path

The AI writes code that works when everything goes right. When a third-party API times out or a database write fails, there's nothing catching it. It just fails silently.

5: N+1 queries and wildly inefficient database access

The app works fine with 10 users, then completely falls over at 1,000. AI-generated code often fetches related data inside loops, makes repeated database calls for every render, or skips indexing entirely. You end up with pages making hundreds of unnecessary queries and response times exploding under load.

6: No authorization checks beyond login

A lot of vibe-coded apps correctly check “is the user logged in?” but never check “should this user be allowed to do this action?” Users can often modify IDs in requests and access admin functions, other users’ records, or paid features because ownership and role checks were never implemented properly.

None of these are hard to fix once you know they're there. The problem is they're invisible until something breaks in front of your users. Auditing your code on QodeShark (My team and I built it) or Qodo before launching might be a good idea.

Happy to answer questions if any of this is useful.