In software, “it works” and “it’s safe” are different properties, verified by different tests — and the second one never announces itself. Run this before any link is sent. Re-run monthly (first Friday), and on every cloned fix.
Last verified: July 2026 · Your checkmarks save in this browser · Print the tear-out
Fix name: · Date: · Run #
Paste: “For every database table in this app: is Row Level Security enabled, and who can read and write each table? Answer table by table.” Then: “Could someone who is not my user read any of this data — for example with the public API key? If yes, fix it so each person can only read what belongs to them, and tell me what you changed.” Record the answer.
Private browser window, logged out: can you see data you shouldn’t? Second test user: can user two see or edit user one’s data?
View source → search key, secret, sk_. Anything found → “this key is visible in my page source — move it server-side.”
Confirm checks 1–2 pass independently of the link being hard to guess.
Public gallery / Discover / community feed listing: OFF. Until you’d bet a friendship on your locks, keep the project unlisted.
Every real name typed during testing: deleted or replaced.
Found & fixed this run: · Initials:
A scan of more than 5,600 publicly reachable “vibe-coded” apps found over 2,000 vulnerabilities, more than 400 exposed secrets, and 175 instances of leaked personal information. The apps worked. Their builders were people a lot like you. “It works” was never the question.
Platforms shift; this page is updated when the checks need to change. If a builder platform’s settings have moved and a step above no longer matches what you see, send a correction — it lands in the changelog with credit.