98 vibe-coded apps, 967 findings: the security posture is the platform, not the app
Follow-up to our earlier 50-site study. That one mixed big-tech and legacy CMS. This one is narrower and more honest about what vibe-coded means in 2026: we picked two cohorts deliberately.
- Cohort A — vibe-coded apps from a single no-code AI builder. 50 production deployments on the same builder's managed hosting. One prompt → one ship. Owners rarely edit the generated code by hand.
- Cohort B — indie dev-builds from mixed platforms. 24 sites across four different deploy platforms, most with custom backends and at least some hand-written code. Side-projects, portfolios, early-stage tools.
We scanned both cohorts with the full 15-provider deep stack (RLS probes, Firebase rules, TLS + DNS, JS deep analysis, active DAST, MCP, network-port probing, plus the free-tier set). Nothing was tuned per-target.
The numbers
Across the two cohorts: 96% SHIP, 4% BLOCK, 21% WAF-held. Average score 76.3, median 82. Every site had at least 3 findings. The worst we scored had 26.
The headline finding: vibe-coded apps from the same platform score identically
This surprised us and it's the most important thing in this post.
| Cohort | Sites | Avg score | Median | Spread | BLOCK |
|---|---|---|---|---|---|
| A — AI builder (single platform) | 50 | 79.4 | 82 | 2 → 82 | 2 |
| B — Indie, mixed platforms | 24 | 73.2 | 78 | 26 → 92 | 1 |
Inside Cohort A, 47 out of 50 sites scored the exact same 82/100. Same score. Same eight-to-ten findings, mostly all drawn from the same short list: CSP with unsafe-inline, missing Strict-Transport-Security, missing Permissions-Policy, no HTTPOnly on non-session cookies, generic API keys in the bundle (public-by-design analytics keys that match our shape matcher as tentative).
That's not a scanner bug. That's the scanner correctly measuring the reality: apps generated from the same template inherit the same security posture. Your app's score on a vibe-coding platform is the platform's score — unless you reach past it.
Cohort B is the opposite. 24 sites produced 22 distinct scores. A-grades and BLOCKs in the same batch. The distribution looks like what you'd expect from a set of individually-written apps — because that's what it is.
The 4 sites that got BLOCK
All four came from the outlier 3–6% who customized past the template. These are anonymized; the category of fault is what matters.
- CRITICAL Backend route exposed without auth (path: /api/●●●●●●)
- HIGH Service-role credential in client bundle (value: eyJhbGc●●●●●●●●●●●)
- MEDIUM CSP allows
unsafe-eval - MEDIUM Session cookie missing
SameSite - MEDIUM No CSRF token on state-changing endpoints
The other three BLOCK cases followed the same shape: template-inherited baseline at 82, +1 custom decision that flipped them to F.
- Site #2 — indie deploy. CRITICAL: unprotected admin endpoint returning user records. Plus typical platform mediums.
- Site #3 — indie deploy. CRITICAL: service-role database key inside client JS, discoverable by anyone who opens DevTools.
- Site #4 — AI-builder cohort. CRITICAL: hand-edited auth helper trusted an HTTP header without verifying a JWT signature. Header spoofable.
- CRITICAL Unprotected API endpoint returning user data (/api/●●●●●●●●)
- HIGH Source map exposed in production
- HIGH Auth token in localStorage
- MEDIUM Missing CSRF on POST endpoints
- MEDIUM CORS reflected
Originwith credentials
What everyone had
The 967 findings across 98 sites break down roughly like this. These are the patterns you see whether the app is templated or hand-coded:
| Pattern | Severity | Seen on |
|---|---|---|
CSP allows unsafe-inline or unsafe-eval | MEDIUM | ~95% |
| Missing Strict-Transport-Security | MEDIUM | ~60% |
| Missing Permissions-Policy / COOP / CORP | LOW | ~85% |
| API-key-shaped string in client JS (tentative) | MEDIUM | ~50% |
| No privacy policy / no consent UI | MEDIUM | ~40% |
| Server software version disclosed | INFO | ~70% |
None of these alone will get anyone compromised. Together, they're the background radiation of shipping fast in 2026. Nobody is doing them maliciously; they're just the defaults nobody turned off.
What this means for you
If you're shipping on a vibe-coding platform: your score is mostly their score. You'll cluster at whatever number the platform's default template produces. That's the floor. It's probably fine. The moment you add your own backend call, your own auth check, your own database integration — that's when you can drop from 82 to 2 in a single commit. Scan after every meaningful custom change, not just before launch.
If you're building a side-project from scratch: variance is on you. Cohort B ranged from A to F because every app had different decisions. No template to lean on means no template to blame. Run the full deep scan (RLS, Firebase rules, active DAST, network ports) — that's where the real bugs live, and free-tier header scans won't see them.
A fifth of sites WAF-bounced our scanner. 21% of the 124 targets we submitted bounced back a Cloudflare-class challenge and we stopped there instead of producing a score. That's a positive signal about those targets — their anti-bot layer is working. We count it as a good outcome, not a scanner failure.
Methodology
124 URLs submitted, 98 scored, 26 WAF-held. All runs used the same 15-provider stack with no per-target tuning. Free-tier 9-provider set runs a subset of the deep scan. Sites named in this post aren't, deliberately — individual brands matter less than the shape. If you want the anonymized per-row data, email research@sekrd.com and we'll send the CSV.
Run a deep scan on your own app. If you're on a vibe-coding platform, the interesting number isn't the score — it's the delta between your score and the platform's default.
Don't ship until you're sekrd
Run a free scan to find the vulnerabilities your AI missed.
Scan Your App Free