← home

Learn

Straight answers about secrets, keys, and safely shipping AI-built apps.

• Is Shipshape legit? What it does and doesn’t do
  Shipshape is a passive pre-launch checkup for AI-built apps. Here is exactly what it checks, what it never does, and why it won’t false-flag your public keys.
• Supabase anon key vs service_role key: which is safe to expose?
  The Supabase anon key is meant to be public. The service_role key must never reach the browser. Here is the difference and how to check your app.
• Is the Firebase apiKey a secret? (No — and here’s why)
  The Firebase apiKey is safe to expose in client code. It’s an identifier, not a credential. Here’s what actually protects a Firebase app.
• Can I just ask ChatGPT to check my app’s security?
  ChatGPT can explain concepts but can’t see your deployed app. A scanner actually fetches your live URL and checks deterministically. Here’s the difference.
• The vibe-coder’s pre-launch checklist (Lovable, Bolt, Replit, v0)
  A short, practical checklist before you put your AI-built app in front of real users: secrets, database rules, source exposure, headers, and payments.
• How do I know if my Supabase database is exposed?
  If Row Level Security is off, the public anon key in your frontend can read every table. Here is how to check — safely — whether your Supabase data is downloadable.
• I leaked my Supabase service_role key — what now?
  A exposed service_role key bypasses all your database security. Here is the exact, ordered recovery: rotate, remove, lock down, and check for abuse.
• Is my Lovable app safe to launch? 5 things to check first
  Lovable apps are usually Supabase-backed React SPAs. Before you share yours, check these five things — three you can verify for free from the URL.
• How to check a Bolt, Replit, v0 or Cursor app before launch
  Whatever AI builder you used, the pre-launch risks are the same: leaked secrets, open database rules, downloadable source. Here is how to check any of them.
• Firebase security rules for a vibe-coded app
  Firebase quickstarts ship in test mode — open to the world. Here is how to tell if your rules are still open, and how to lock Firestore, Storage and Realtime DB.
• How to stop a runaway OpenAI / API bill in your app
  Calling a paid AI API directly from the browser exposes your key and your budget. Here is the safe pattern: a server proxy, rate limits, and spend caps.
• My .env file is downloadable — what to do
  If /.env loads in a browser, attackers can grab every secret in it. Here is how it happens, how to confirm it, and how to fix and recover.
• pk_test in production: why your checkout silently fails
  A Stripe test key on your live site is not a security leak — it is a launch bug. Real cards will not be charged. Here is how to spot and fix it.
• How to choose a security scanner for a vibe-coded app
  New scanners for AI-built apps appear constantly. Here are the honest criteria that actually matter — accuracy, real exploit-testing, and clear limits — not feature counts.
• How do scanners safely test your database rules?
  Testing whether a database is publicly readable sounds invasive. Done right, it reads a row count and nothing else — and only after you prove you own the app.
• Shipshape vs Vibe App Scanner: scanner results vs launch proof
  AI-app scanners increasingly check similar surfaces. The important difference is whether the tool can turn evidence into launch-state proof.
• Stripe webhook returned 200, but paid access still failed
  A webhook can succeed at the HTTP layer while your app never grants the user paid access. Shipshape checks the resulting state, not just delivery.
• Supabase RLS Launch Proof checklist
  RLS being enabled is not enough. Before launch, prove the public key cannot read protected rows and that policies match the app model.
• Gemini/API key wallet-drain checklist for AI apps
  AI app launches now need a wallet-drain check: exposed paid keys, unrestricted Google keys, client-controlled models, and missing rate limits.
• What Shipshape proof packs prove — and what they do not
  A proof pack is a dated attestation of checks run under a policy. It is useful for launch decisions, but it is not a security guarantee.