// docs / security guides
Panduan keamanan
In-depth, framework-aware guides for securing applications built with Cursor, Claude Code, Lovable, Bolt, v0, Replit, and Windsurf. Each guide is written to stand alone โ pick the one that matches what you're doing right now. More guides land here as new attack classes show up in the FixVibe scan engine.
// category overview
AI-generated code security scanning: DAST for vibe-coded apps
Why AI-generated apps need different scanning than traditional pentest tools. Covers the ten vulnerability classes that show up disproportionately in vibe-coded apps, DAST vs SAST when the codebase is half-machine-generated, what to look for in a scanner, and how FixVibe compares to Burp Suite, OWASP ZAP, and Nessus.
Read the scanner primer โ
// pre-ship audit
The vibe coding security checklist: 44 items before you ship
A practical, phase-organised checklist for apps built with Cursor, Claude Code, Lovable, and Bolt. Seven categories โ secrets, database, auth, headers, third-party, deployment, monitoring โ with 44 actionable items, each tagged pre-deploy / at-deploy / post-deploy.
Open the checklist โ
// step-by-step
How to secure an app built with AI coding tools
Step-by-step hardening with code snippets. Why AI-generated apps fail differently, an immediate codebase audit, deploy-time hardening (middleware, CSP, RLS, server-only auth), ongoing monitoring, and five real failure patterns with their actual fixes.
Start the hardening guide โ
// cursor-specific checklist
Cursor app security checklist
A 28-item hardening guide targeting Cursor-specific patterns: Autocomplete inlines service keys, Composer generates whole files without review, Agent mode runs terminal commands, and <code>.cursorrules</code> is your first security guardrail. Pre-deploy, at-deploy, and post-deploy checks for Cursor workflows.
Read the Cursor guide โ
// claude-code-specific checklist
Claude Code security checklist
A 26-item guide for Claude Code (Anthropic's CLI agent): Multi-file refactoring via subagents, bash operations without verification, <code>.claude/CLAUDE.md</code> as your security policy file, and the risk of committing <code>.env</code> or cached tokens. Organized by phase and risk area.
Read the Claude Code guide โ
// tool-specific guides
Security checklists for Lovable, Bolt, v0, Replit, and Firebase Studio
Five tool-specific checklists (27-30 items each) for Lovable's Vite bundle leaks, Bolt's terminal history exposure, v0's dangerouslySetInnerHTML re-appearing, Replit's public URLs, and Firebase's test-mode rules. Each guide targets the unique risks of that platform.
Browse the platform guides โ
// structural analysis
Why AI coding tools leave security gaps
An honest analysis of the structural blindspots in Cursor, Claude Code, Lovable, Bolt, and v0. Training-data bias, autocomplete dynamics, no long-term context, and speed-as-metric create predictable security gaps. Learn the root cause of each gap class and the remediation pattern that closes it.
Read the gap analysis โ
// scanner selection
Choosing a security scanner for AI-built apps
Comparison and decision framework for picking the right scanner โ FixVibe, Burp Suite, OWASP ZAP, Snyk, and others. Covers the evaluation criteria that matter for AI-generated SaaS (BaaS coverage, JS bundle inspection, framework awareness, active-probe gating), a side-by-side table, and a decision matrix for six common scenarios.
Compare scanners โ
What's coming next
Planned additions: a Supabase-specific deep dive (RLS patterns, JWT shapes, edge-function isolation), a guide to API/MCP active-scan integration into CI, and a follow-up on shipping Lovable / Bolt apps to production. Watch the scan-engine changelog for the latest detections that drive each new guide.