78% of AI deployments lack proper security protocols. I read that in JPMorgan Chase’s recent open letter and thought: yeah, that tracks.

I keep seeing the same story play out: excited vibe coder builds a SaaS with AI, launches successfully, then gets hacked. The pattern is so predictable it’s painful.

I’ve caught my AI coding assistant trying to expose API keys, remove authentication layers, and create vulnerabilities more times than I can count. The scary part? It does this while confidently telling me the code is secure.

AI coding assistants: they’re brilliant at generating functional code and terrible at keeping secrets.

At one point I noticed that Lovable gladly put my OpenAI API key on the frontend without any concern that others might borrow it. I instructed it to put the key API-side. It confirmed that my app was now secure!

Upon closer inspection, I’ve discovered the key being passed from the backend to the frontend before calling the OpenAI API via the frontend and exposing the API key. It completed the task without any understanding of the security issue we needed to fix, introduced a workaround, and effectively lied about the app being secure.

The Dangerous Gap

AI is like a knowledgeable intern who’s skilled at lying. It doesn’t understand security—it predicts what looks secure.

This isn’t malicious. It’s probabilistic. And that’s exactly why it’s easy to miss and dangerous.

I am not alone. According to JPMorgan Chase’s recent open letter to third-party suppliers, 78% of AI deployments lack proper security protocols.

Stories like Leo’s have become disturbingly common:

leo @leojr94_
guys, i’m under attack

ever since I started to share how I built my SaaS using Cursor random thing are happening, maxed out usage on api keys, people bypassing the subscription, creating random shit on db

as you know, I’m not technical so this is taking me longer that usual to figure out

for now, I will stop sharing what I do publicly on X

there are just some weird ppl out there

This is the danger zone. Leo had the skills to vibe code a working SaaS. But security isn’t about making something work—it’s requires understanding security best practices and discipline to follow them. AI assistants are not disciplined and are overly eager to get something working.

How to Protect Yourself

The good news? You don’t need to become a security expert overnight. Here are a few tips you to build security checks into your vibe coding workflow. Think of these as spell-check for vulnerabilities. These prompts won’t catch everything, but it catches the obvious mistakes.

1. Use Built-in Security Tools

Tools like Lovable have introduced Security Checker 2.0—an automated security review feature that catches common vulnerabilities. Run this after any significant round of changes.

2. Quick Security Check After Each Change

If you are not using Lovable, you can run a similar review with this prompt:
“Review our work and check for workarounds and potential security issues.
Respond with a prioritized list of concerns.”

3. Deep Security Review Before Releases

Before pushing to production, here is a prompt for a more thorough review:

Security Best Practices Prompt Template

• Validate and Sanitize All Inputs: Never trust user input. Always validate and sanitize data on the server side to prevent injection attacks.
• Implement Strong Authentication and Authorization: Ensure that authentication and authorization mechanisms are robust and enforced on the backend. Do not rely solely on frontend controls.
• Use Parameterized Queries: When interacting with databases, use parameterized queries or prepared statements to prevent SQL injection attacks.
• Enforce HTTPS: Ensure all data transmitted between the client and server is encrypted by enforcing HTTPS.
• Protect Sensitive Data: Encrypt sensitive data both at rest and in transit to safeguard confidentiality.
• Manage Dependencies Securely: Regularly update and audit third-party libraries to mitigate risks from known vulnerabilities.
• Implement Security Logging and Monitoring: Establish logging mechanisms to detect and respond to security incidents promptly.
• Avoid Inline Scripts: Separate JavaScript from HTML by using external scripts and implement Content Security Policies (CSPs) to define trusted sources for scripts and resources.
• Implement Content Security Policy (CSP): Define a CSP to restrict the sources of executable scripts and mitigate the risk of cross-site scripting (XSS) attacks.
• Prevent Cross-Site Request Forgery (CSRF): Implement anti-CSRF tokens in your forms and verify them on the server side to prevent unauthorized commands transmitted from a user that the website trusts.

Inspired by: Prajwal Tomar (@PrajwalTomar_) on X

The Hard Truth

You can’t fully trust AI to build secure solutions. Good security requires discipline and understanding—two weaknesses of your probabilistic AI coding assistant.

To vibe coders out there: you might not need to learn the ins and outs of writing code, but if you’re creating production software, you must learn security fundamentals.

Here’s your Monday morning action: Take the security review prompt above and ask your favorite AI chat to create a mini-course for you with examples. Spend 30 minutes this week learning the top 3 security practices from the list above. Your future self (and your users) will thank you.

Keys

• AI assistants are brilliant at functionality, terrible at security
• They “lie”—they predict code that looks secure but isn’t
• Build security reviews into your workflow, not as an afterthought
• Use tools like Lovable’s Security Checker 2.0 to automate initial reviews
• Learn enough security to evaluate AI’s suggestions critically
• When in doubt, hire a real security review before going to production

The question isn’t whether AI will introduce security holes. It’s whether you’ll catch them before someone else does.