We Scanned 64 Sites Built with AI Coding Tools for Security — Here's What We Found
We ran a security audit on 64 sites built with Lovable, Bolt, and Replit — checking headers, TLS, cookies, CORS, and sensitive file exposure. Average score: 77/100.
What we did
We sourced 70 publicly deployed sites from showcase galleries and community forums — madewithlovable.com (31 sites), madewithbolt.com (24 sites), Replit customer showcase & community (9 sites). Only live, publicly accessible sites were included. No staging environments, no localhost, no password-protected pages. 6 sites were unreachable at scan time.
Each site was scanned with AppVet's security audit, which checks:
- Security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- TLS — HTTPS enabled, HTTP-to-HTTPS redirect
- Cookies — HttpOnly, Secure, SameSite flags
- CORS — wildcard or reflective Access-Control-Allow-Origin
- Sensitive file exposure — .env, .git, wp-admin, server-status, and other common paths
No site owners were contacted. No sites are named individually — we report only aggregate data and anonymized patterns.
The headline numbers
Average Score
77
/100
Median Score
77
/100
Scored A
29
of 64 sites
Scored D or below
5
of 64 sites
64 of 70 sites were reachable. Scores range from 51 to 100. Grade distribution: 29 A's, 20 B's, 10 C's, 5 D's.
What AI coding tools get wrong
1. Security headers are the biggest gap
AI coding tools are excellent at generating application code — routes, components, API handlers. But they don't configure the server. The result: sites ship without the security headers that browsers rely on to protect users.
The most commonly missing headers we expect to find:
- Content-Security-Policy (CSP) — without it, any XSS vulnerability is fully exploitable
- Strict-Transport-Security (HSTS) — without it, downgrade attacks can steal session cookies
- Referrer-Policy — without it, sensitive URL parameters leak to third parties
This isn't a criticism of the AI tools — configuring headers is a deployment concern, not an application concern. But the gap matters because most vibe coders deploy to production with the default settings and never think about headers. See our guide: Top 5 Security Headers Every Site Needs.
2. The score gap is about hosting, not code
The most interesting finding: Bolt sites averaged 81/100 while Lovable sites averaged 74/100. That's not because Bolt writes more secure code — it's because Bolt deploys to Netlify, which adds some security headers by default. Lovable deploys to lovable.app or custom domains where headers depend on configuration.
The lesson: your hosting platform matters as much as your code. A site with perfect application code but no CSP header is still vulnerable to XSS.
3. The D-grade sites share a pattern
The 5 sites that scored D+ (58-59) all had the same profile: missing HSTS, missing CSP, missing Referrer-Policy, and at least one cookie without proper flags. These are all fixable in under 5 minutes with a single middleware or hosting config change.
4. Nobody is checking for exposed files
We probed common sensitive paths — /.env,
/.git/config,
/wp-admin — on every site.
Most returned 404 (good). But the fact that these paths are never explicitly blocked means
one misconfigured deploy could expose secrets. AI tools don't generate
.htaccess rules or server block lists.
What AI coding tools get right
It's not all bad. 29 of 64 sites scored A- or higher. The common thread:
- HTTPS everywhere — every single site used HTTPS. Deployment platforms (Vercel, Netlify, lovable.app) handle this automatically.
- No sensitive files exposed — most sites properly returned 404 for probed paths like /.env and /.git
- CORS properly restricted — no wildcard or reflective CORS policies found in the majority of sites
- Some platforms add headers — Netlify (used by Bolt) adds X-Frame-Options and X-Content-Type-Options by default
The pattern: anything the hosting platform handles is fine. Anything the developer (or AI) needs to explicitly configure — CSP, HSTS, Referrer-Policy — is where the gaps appear.
Tool-by-tool comparison
| Tool | Sites | Avg Score | Best | Worst | A grades |
|---|---|---|---|---|---|
| Lovable | 31 | 74 | 100 | 58 | 9/31 |
| Bolt | 24 | 81 | 100 | 59 | 15/24 |
| Replit | 9 | 76 | 100 | 51 | 5/9 |
Bolt sites scored highest on average (81) — likely because Bolt deploys to Netlify which adds security headers by default. Replit (76) had wide variance — from 51 to 100 — reflecting diverse hosting configurations across replit.app subdomains and custom domains. Lovable (74) deploys to lovable.app or custom domains with less header configuration out of the box. Replit had a smaller sample (9 sites) since it doesn't have a public showcase gallery like Lovable and Bolt.
How to fix it (in 5 minutes)
Here's the irony: the same AI that created these issues can fix them. The workflow:
- Scan your site — run
npx appvet scan your-site.com --types security(CLI docs) or paste your URL at appvet.dev - Copy the Fix with AI prompt — AppVet generates a ready-to-use prompt listing every missing header, insecure cookie, and exposed path — with the exact fix for each
- Paste into the AI tool that built your site — Lovable, Bolt, Replit, Cursor, Claude Code. The AI reads the structured prompt and adds the missing headers in one pass.
- Rescan — verify the fixes worked. Adding security headers typically jumps a site from B- to A+.
The Fix with AI prompt now includes a "Do Not Change" section — things your site already does right — so the AI doesn't accidentally break working configurations while fixing the issues.
The bottom line
AI coding tools are incredible for shipping fast. But "deployed" and "production-ready" are different things. The gap isn't in the AI's ability — it's in what the AI is asked to do. Nobody prompts "add HSTS and CSP headers" or "set HttpOnly on all cookies."
The average score of 77/100 isn't terrible — but it means most AI-built sites ship with 3-5 missing security protections that take minutes to add. The fix is simple: scan before you ship.
This was just the security audit. AppVet also scans for performance, accessibility, and SEO — 84 checks total across 8 scan profiles. We'll publish those results in a follow-up post.
That's what AppVet is for.
Check your own site
Paste a URL, get a security, performance, accessibility, and SEO report — 84 checks, one click, under a minute. Free, no signup.
Run Audit →