Skip to content
TaskBounty
Back to Blog

See what your AI-built app leaks to any visitor

Eliott Reich, founder of TaskBounty3 min read
security
vibe coding
ai dev tools
supabase

See what your AI-built app leaks to any visitor

When you build with Lovable, Bolt, Replit, v0, or Cursor, the app reaches real users fast. The part that does not keep up is the boring hygiene: most AI-built apps leak the same small handful of things, and they leak them to anyone who opens the page. No hacking required, just a look at what the app already serves.

Here are the four most common leaks and how to check each one by hand. None of this needs special tools.

1. API keys sitting in your JavaScript

Anything your frontend can see, a visitor can see. Open your live app, view source, and search the page and its script files for things like sk_, eyJ, AIza, or service_role. A publishable Stripe key (pk_) or a Supabase anon key is meant to be public. A secret key (sk_, service_role, an AWS or OpenAI key) is not. If a secret is in the bundle, treat it as compromised and rotate it.

2. A Supabase or Firebase database anyone can read

This is the big one. If Row Level Security is off, your public anon key can read every row in your tables, and so can anyone on the internet. To check: find your Supabase project URL and anon key in the bundle, then try to read a table through the REST API with just that key. If rows come back, RLS is off. The fix is to enable RLS on every table and add policies that scope rows to the right user. Treat the data as public until you do.

3. Files that should never be reachable

Try visiting /.env, /.git/config, and your source-map files directly. A reachable .env hands over your secrets. A reachable .git directory can expose your whole history. Public source maps rebuild your original source for anyone curious. None of these should load for a stranger.

4. Missing transport and header basics

Confirm HTTPS is enforced with a valid certificate, and that you are not shipping a wide-open CORS policy. These are quieter issues than an open database, but they are easy to get wrong and easy to fix.

Or check it in about ten seconds

Doing all of this by hand is useful once. To make it quick, we built a free scanner: paste your app URL at task-bounty.com/scan and it shows what your live app exposes, the keys in your bundle, the tables anyone can read, the files that load when they should not.

It is read-only. It reads only what a browser already downloads and checks your database access from the outside. It never logs in and never writes anything. JavaScript and TypeScript apps for now.

One honest caveat: this is a flashlight, not a verdict. A clean result is not a security certificate. It means the common, cheap-to-find leaks are not showing, which is exactly the set of mistakes that turn into a public incident. Find them before a stranger does.