DanDan·18 July 2026·4 min read

AI will hand you a security hole with a straight face

I was setting up the backend for a new app: a Supabase database, a couple of environment files, the usual plumbing you do before any real code gets written. The AI was scaffolding it all out, fast and tidy, and it looked great.

Then I stopped and read it properly.

What it got right

Genuinely, most of it was good. It set up a clean project structure, wrote a sensible gitignore so secrets could never be committed, and even labelled which values were public and which were secret. It knew the theory. It could recite that a service key must never go near the client.

Where it went wrong

Tucked into the environment file, sitting right next to the app's config, was the full database connection string. The one with the database password baked into it.

If you do not build apps, here is why that is a problem. The values an app uses get bundled into the app itself when it ships. Anyone who downloads it can pull it apart and read them. So the app is only ever allowed to hold values that are safe to be public. A database connection string is the opposite of that. It is the master key to the entire database. Put it in the app and you have handed every user a way straight into everyone's data.

The AI put the master key one step away from the app bundle. It even wrote a little note saying "this one is server side only, do not ship it." Which is the bit that actually worries me. A label is not a safeguard. A label is a sticky note on a loaded gun. The whole point of doing it properly is that the structure makes the mistake impossible, not that a comment politely asks you not to make it.

Why it got caught

It got caught for one reason: I have built this before, so I stopped and asked a simple question. "Do we even need the database string in the app?"

We did not. The app needs two things: the address of the database service and a public key that is safe to expose, protected by proper access rules on the server. That is it. The master key was never needed anywhere near the app. Once I said that, the AI immediately agreed, restructured everything so the secrets live in a completely separate server only file, and dropped the database string altogether. Ten minutes later it was clean.

But I had to be the one to ask.

This is the vibe coder trap

There is a lot of talk right now about "vibe coding," people with no development background building real apps by just chatting to an AI. And honestly, a lot of it works. It is brilliant. Right up until a moment exactly like this one.

Because the AI did not hesitate. It did not flag it. It did not say "careful, this is sensitive." It produced a genuine security hole with total confidence and moved straight on to the next step. If I had been a vibe coder, I would have pasted my real database password into that file, shipped the app, and handed my entire database to anyone who fancied downloading it. I would not have known anything was wrong, because nothing looked wrong. It looked finished.

That is the part people underestimate. AI does not fail loudly. It fails plausibly. The output is confident, tidy, well commented, and quietly dangerous.

What I would tell anyone building this way

Use the AI. It is genuinely faster and mostly right. But treat anything touching security, payments, or user data as a draft that needs a real review from someone who knows what they are looking at. If that person is not you, get one. It is a lot cheaper than the alternative.

The AI is a phenomenal builder and a terrible last line of defence. On this project it happened to have a developer reading over its shoulder. Most of the scary stories out there are the ones where it did not.

If you are building something and you are not sure whether the AI has quietly left a door open, that is exactly the kind of thing we look at. Have a look at the work we do, or if you want a rough sense of a proper build, our quote generator is a decent place to start.

Not sure what you need yet? Start here.

No email requiredNo sales call neededGet a ballpark estimate in minutes
AI will hand you a security hole with a straight face | All Trouser Digital