// docs / security guides
Security-Guides
Tiefgehende, framework-bewusste Guides zum Absichern von Anwendungen, die mit Cursor, Claude Code, Lovable, Bolt, v0, Replit und Windsurf gebaut wurden. Jeder Guide ist eigenständig — wähle den, der zu deiner aktuellen Aufgabe passt. Neue Guides folgen, sobald neue Angriffsklassen in der FixVibe-Scan-Engine auftauchen.
// category overview
KI-Code Security Scanning: DAST für vibe-coded Apps
Why AI-generated apps need different scanning than traditional pentest tools. Covers the ten vulnerability classes that show up disproportionately in vibe-coded apps, DAST vs SAST when the codebase is half-machine-generated, what to look for in a scanner, and how FixVibe compares to Burp Suite, OWASP ZAP, and Nessus.
Read the scanner primer →
// pre-ship audit
Die Vibe-Coding-Security-Checkliste: 44 Punkte vor dem Deploy
A practical, phase-organised checklist for apps built with Cursor, Claude Code, Lovable, and Bolt. Seven categories — secrets, database, auth, headers, third-party, deployment, monitoring — with 44 actionable items, each tagged pre-deploy / at-deploy / post-deploy.
Open the checklist →
// step-by-step
So sicherst du eine App, die mit KI-Coding-Tools gebaut wurde
Step-by-step hardening with code snippets. Why AI-generated apps fail differently, an immediate codebase audit, deploy-time hardening (middleware, CSP, RLS, server-only auth), ongoing monitoring, and five real failure patterns with their actual fixes.
Start the hardening guide →
// cursor-specific checklist
Cursor app security checklist
A 28-item hardening guide targeting Cursor-specific patterns: Autocomplete inlines service keys, Composer generates whole files without review, Agent mode runs terminal commands, and <code>.cursorrules</code> is your first security guardrail. Pre-deploy, at-deploy, and post-deploy checks for Cursor workflows.
Read the Cursor guide →
// claude-code-specific checklist
Claude Code security checklist
A 26-item guide for Claude Code (Anthropic's CLI agent): Multi-file refactoring via subagents, bash operations without verification, <code>.claude/CLAUDE.md</code> as your security policy file, and the risk of committing <code>.env</code> or cached tokens. Organized by phase and risk area.
Read the Claude Code guide →
// tool-specific guides
Security checklists for Lovable, Bolt, v0, Replit, and Firebase Studio
Five tool-specific checklists (27-30 items each) for Lovable's Vite bundle leaks, Bolt's terminal history exposure, v0's dangerouslySetInnerHTML re-appearing, Replit's public URLs, and Firebase's test-mode rules. Each guide targets the unique risks of that platform.
Browse the platform guides →
// structural analysis
Why AI coding tools leave security gaps
An honest analysis of the structural blindspots in Cursor, Claude Code, Lovable, Bolt, and v0. Training-data bias, autocomplete dynamics, no long-term context, and speed-as-metric create predictable security gaps. Learn the root cause of each gap class and the remediation pattern that closes it.
Read the gap analysis →
// scanner selection
Choosing a security scanner for AI-built apps
Comparison and decision framework for picking the right scanner — FixVibe, Burp Suite, OWASP ZAP, Snyk, and others. Covers the evaluation criteria that matter for AI-generated SaaS (BaaS coverage, JS bundle inspection, framework awareness, active-probe gating), a side-by-side table, and a decision matrix for six common scenarios.
Compare scanners →
What's coming next
Planned additions: a Supabase-specific deep dive (RLS patterns, JWT shapes, edge-function isolation), a guide to API/MCP active-scan integration into CI, and a follow-up on shipping Lovable / Bolt apps to production. Watch the scan-engine changelog for the latest detections that drive each new guide.