IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

Is my AI-built app secure?

Straight answer

Probably not fully, and that is normal. AI builders write working code fast, but they routinely leave security gaps: exposed keys, open databases, weak logins. The app looks finished because it runs. Security is the part you cannot see, so it needs a deliberate check rather than a trust that it was handled.

Information current as at 5 July 2026

Your app works. People can sign up, data gets saved, the pages load. It feels done. But "it runs" and "it is safe" are two different claims, and the gap between them is exactly where trouble lives. This article is an honest look at where AI-built apps tend to be secure, where they tend not to be, and how to tell the difference for yours.

Plain English
API key
A password-like string that lets your app use an outside service, and that must be kept secret.
Attack surface
Everything about your app that someone could try to poke at or break into.
Access control
The rules that decide who is allowed to see or change each piece of data.
Hardening
The work of closing gaps so an app is more resistant to misuse.

What "it runs" actually proves

When an AI builder produces an app that works, it has proven one thing: the happy path functions. A user can do the intended action and get the intended result. That is genuinely useful, and it is most of what you can see. Security, by contrast, is almost entirely invisible from the outside. Whether your database is readable by strangers, whether your keys are exposed, whether one user can reach another user's data, none of that shows up when you click around as the owner. So a working app tells you the front door opens. It tells you nothing about whether the back door is locked, and the back door is where the risk sits.

Where AI builders tend to do fine

It is worth being fair, because this is not about fear. Modern builders often get the basics of transport security right: they put your site on HTTPS, so traffic is encrypted in transit. They usually use established libraries for common tasks rather than inventing shaky ones. If you used a managed database service, its defaults are frequently reasonable. The generated code is often competent at the thing you asked for. The problem is rarely that the code is bad at its job. The problem is what the builder leaves for you to configure and never mentions, because it was optimising for a working demo, not a live business holding real people's data.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Where the gaps usually are

The recurring gaps are a short list. Exposed secrets: API keys and database credentials left visible in the code, in the browser, or in logs. Open data access: a database where the access rules were never set, so in principle anyone who finds the address can read or change records. Weak or missing authentication: logins that do not really protect an account, or admin areas anyone can reach. Trusting the browser: assuming a check done in the visitor's browser cannot be bypassed, when it can. Technology press reporting (XDA Developers) has described vibe-coded apps routinely shipping with exposed data and API keys, which matches what tends to be found in practice. None of these are exotic. They are the same handful, over and over.

How to find out where you stand

You do not need to pay anyone to get a first read on this. Open your app in a browser and look at the page source and the network requests for anything that looks like a key or a password; secrets should never appear there. Check your database service's dashboard for whether access rules or row-level security are switched on, or whether it is effectively open. Try to reach data or pages as a logged-out visitor that only a logged-in user should see. Ask yourself whether one ordinary user could view another user's records by changing a number in the address. Each of these is a real check you can do today. If several come back uncertain, that is a signal the app needs hardening before it carries anything sensitive, and it is a reasonable point to get a second opinion.

Common questions

Questions, answered

If my app works, why would it not be secure?
Because working and secure are different. Working means the intended action succeeds, which is what you can see. Secure means the things you cannot see are locked down: your keys, your database access, your logins. AI builders reliably deliver the first and routinely leave gaps in the second.
Did the AI builder not handle security for me?
It handled some of it, like putting you on HTTPS, and left the rest for you, usually without saying so. Setting database access rules, keeping keys secret, and protecting logins are typically configuration steps the builder does not complete, because it was building a working demo, not securing a live business.
What is the single most common problem?
Exposed secrets. API keys and database credentials left visible in the code or the browser are the most frequently found issue, and among the most serious, because a found key can let someone use your paid services or reach your data directly. Resetting and hiding keys is the first fix.
Do I need to be technical to check any of this?
You can do a useful first pass without being technical: look for visible keys in your pages, check whether your database access rules are on, and try to reach private data while logged out. Those three checks tell you a lot. A deeper review is where a second pair of eyes helps.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.