Blog

Security insights for developers shipping AI-generated code

How to Secure AI-Generated Code: A Practical Checklist

AI assistants like Cursor, Bolt, Lovable, and Replit ship the same seven vulnerability classes — hardcoded secrets, NEXT_PUBLIC_ leaks, unverified webhooks, SQL injection, missing auth, CORS-with-credentials, and unsanitized HTML. Here's why each one happens, and a concrete grep, prompt, or habit to catch it before you deploy.

June 24, 2026·11 min read

Why Your AI Wrote ALLOWED_HOSTS = ['*'] — and How That One Line Hands Over Your Django App

It passes every test, the site loads, the DisallowedHost errors stop — and it quietly turns off one of the few server-side checks Django ships on by default. The Host-header attacks the wildcard enables (password-reset poisoning, cache poisoning, SSRF), and the env-driven fix.

June 18, 2026·8 min read

Your NEXT_PUBLIC_ Env Var Is Shipping Your Secret Key to the Browser

Everyone worries about committing a .env file. The leak I actually find in AI-generated Next.js apps is quieter: a NEXT_PUBLIC_ prefix on a key that should never reach the client, baked into the JavaScript every visitor downloads. How it happens, how to find it in 60 seconds, and the one-rule fix.

June 11, 2026·6 min read

98.7% Recall, Zero False Positives — and Why We Don't Trust Our Own Benchmark.

Our scanner catches 98.7% of the vulnerabilities in our benchmark with zero false positives. That sounds great until you remember who wrote the benchmark. The honest problem — and the third-party held-out corpus we're building from OWASP NodeGoat, Juice Shop, and DVNA to fix it.

June 10, 2026·7 min read

I Scanned 42 Public SaaS Startup Repos. 83% Had AWS Key Patterns.

Most of them aren't real keys — but the noise itself is the story. What 42 well-known OSS SaaS repos taught me about how AKIA patterns spread through codebases, and why even an AI-filtered scanner still produces 1,355 findings to triage.

May 7, 2026·9 min read

We Ran Semgrep Against Our Benchmark. It Missed Half the Bugs.

A head-to-head comparison on a public labeled corpus of AI-generated code. XploitScan scored 100% F1. Semgrep's community rules scored 62.5%. The gap is almost entirely about template-literal SQL injection.

April 15, 2026·8 min read

The CORS Misconfiguration Cursor Generates That Exposes Your API

AI coding assistants produce a CORS configuration that reflects every origin with credentials. Any website the victim visits can silently read their authenticated API responses.

April 9, 2026·8 min read

Why Traditional SAST Tools Fail on AI-Generated Code

Semgrep, SonarQube, Snyk, and Checkmarx were built for hand-written enterprise code. Here's why they miss the bugs Cursor, Bolt, and Lovable produce — and what to use instead.

April 8, 2026·9 min read

The $10,000 Stripe Webhook Bug Hiding in AI-Generated Code

A walkthrough of the Stripe webhook vulnerability that Cursor, Bolt, and Lovable ship by default — and the 4 lines of code that fix it.

April 7, 2026·7 min read

I Scanned a Typical AI-Generated SaaS App. It Had 53 Security Vulnerabilities.

Hardcoded secrets, SQL injection, unprotected Stripe webhooks — here's what AI coding tools get wrong about security, with real scan data.

April 5, 2026·8 min read

Why AI-Generated Code Is Insecure (And What You Can Do About It)

45% of AI-generated code contains security vulnerabilities. Learn what AI coding tools get wrong and how to protect your app before you ship.

March 26, 2026·6 min read
Blog — XploitScan