Security guides
for AI-built apps

Plain-English guides for people who build with Lovable, Bolt, v0, Cursor, and Claude Code. No security background needed. Each one fixes a real hole in the order that matters.

Scan your live site (free) → Browse the guides

The same handful of holes, over and over

AI builders are wonderful at getting an app live in an afternoon. They are also wonderful at leaving the same small set of security holes in every project, because the tool optimizes for "it works," not "it is safe." We see the same four again and again:

  • A key in the bundle. An API key that was supposed to stay on the server ends up shipped to the browser, where anyone who opens your site can read it. (The "bundle" is the built JavaScript your site sends to visitors.)
  • An open database. A database that anyone on the internet can read or write, because the rules that decide who is allowed in were never turned on.
  • An exposed .env file. The file that holds your secrets, sitting on your live site where a visitor can just download it. (A .env file is where apps keep keys and passwords.)
  • An API route with no auth. A backend endpoint that does something sensitive, with no check for who is calling it. (An "endpoint" is a URL your app talks to; "no auth" means it never asks who you are.)

None of these are exotic. They are the boring, common mistakes, and that is exactly why they get apps breached. Attackers do not need a clever exploit when the front door is open.

These guides fix them. Each one is written for a person who builds, not a person who does security for a living. Where jargon is unavoidable, it gets a one-line explanation the first time it appears. Where a fix means clicking around a provider's dashboard, we point you at the exact page. And the order is deliberate: we always tell you the one action that actually contains the risk before we talk about cleanup.

Start wherever your problem is. If a key already leaked, jump to the leaked API key runbook. If nothing has gone wrong yet and you just want to ship safely, start with the pre-launch checklist. If you would rather have a machine look first, run the free scan and let it tell you which guide you need.

Group 1

A key or secret leaked

Something that was supposed to stay private got out: a key in a public commit, a provider email saying your key was disabled, a secret in the frontend. Start with the master runbook, then jump to your specific provider.

Leaked API key: the master runbook

The one to read first. Rotate the key at the provider before you touch git history, because deleting the commit does not un-leak it. Covers every major provider and how to check what the key was used for.

Anthropic API key leaked

Your Claude / Anthropic key got out. How to delete it in the console, create a fresh one, and read the usage page to see if anyone spent your credits.

OpenAI API key leaked

Revoke the exposed key on the OpenAI API keys page, mint a new one, and check your usage for spikes you did not make. Includes what that "your key was disabled" email actually means.

Stripe API key leaked

A live Stripe secret key handles real money, so this one is urgent. How to roll the key in the dashboard, pick immediate expiry, and scan your payments and request logs for activity that is not yours.

Supabase service role key exposed

The service role key skips your database access rules entirely, so a leak means your whole database is reachable. How to rotate it and why it must live on the server, never in the browser.

Exposed .env file

Your .env is downloadable on the live site, or it slipped into git. How to close the exposure, then rotate every secret that file ever held, because you have to assume all of them were copied.

Group 2

Secure your app before and after launch

No fire yet. These guides are for shipping safely and staying safe: the checklist to run before you go live, the builder-specific pitfalls, and how to keep an eye on things once you are in production.

Lovable security checklist

A pre-launch walkthrough for apps built with Lovable and similar tools. The keys, database rules, and exposed files these builders tend to leave, and how to close each one before you share the link.

Bolt: leaked API key

Built with Bolt and a key ended up somewhere public? The Bolt-specific version: where keys tend to leak in a Bolt project, how to rotate, and how to keep the next one server-side.

Claude Code security

Shipping code written with Claude Code? What to check before it goes live, and how the free Lictor plugin runs a plain-English audit right inside your Claude Code session.

Continuous monitoring

Launch is not the finish line. How ongoing monitoring watches your exposed surface so the next leak is a notification while it is still small, instead of a surprise on the invoice.

Group 3

The tools

Three ways to actually check your app, from a one-click free scan to a plugin that audits your code to paid monitoring that keeps watching.

Free live-site scan

Point it at your deployed URL and it checks, passively and with no signup, for the common exposures in these guides: a reachable .env, keys in the bundle, and more. Passive means it only reads what your site already serves to anyone.

Free Claude Code plugin

An open-source plugin that runs a 48-check audit catalog over your codebase in plain English, plus guided helpers to rotate keys and apply fixes. Install it with two commands:

/plugin marketplace add Raffa-jarrl/Lictor-AI
/plugin install lictor-security-suite@lictor-ai

Paid monitoring

Continuous monitoring for when you have shipped and want to keep an eye on things, from $49/mo. Start on the billing page, or read the monitoring overview first.

Why trust the audit? Because "trust us" is not evidence, we publish a reproducible benchmark. In a blind run on a 30-case stratified sample of OWASP Benchmark 1.2, the audit scored an F1 of 93.8%. That is a 30-case sample, not the full benchmark, and we say so right in the results. Lictor is built and run by a security engineer with 20 years in the field who does real responsible-disclosure work.

Not sure where to start?

Let a machine make the call. The free scan looks at your live site and tells you, in plain English, which of these holes you actually have. No account, no install, no credit card. Then follow the guide it points you to.

Run the free scan → Or start with the leaked-key runbook

Questions people ask first

Which guide should I start with?

If a key or secret has already leaked, start with the leaked API key runbook. It tells you the one thing that actually contains the risk: kill the key at the provider first, then clean up. If nothing has leaked yet and you just want to ship safely, start with the Lovable security checklist. It covers the handful of holes AI app builders tend to leave, in plain English.

Do I need to know how to code to use these guides?

No. These guides are written for people who build with tools like Lovable, Bolt, v0, Cursor, and Claude Code, not for security specialists. Every step is in plain English, and any jargon gets a one-line explanation the first time it shows up. Where a fix means visiting a provider's dashboard, we point you at the exact page.

Is the Lictor scan really free, and does it need a signup?

Yes, the live-site scan is free and needs no signup. It looks at your deployed site passively, meaning it only reads what your site already serves to any visitor. It checks for the common exposures these guides describe, like an .env file reachable on the live URL. Paid continuous monitoring is a separate product that starts at $49/mo.

What is the free Claude Code plugin, and how do I install it?

It is a free, open-source plugin that runs a plain-English security audit inside Claude Code, plus guided helpers for rotating leaked keys and fixing findings. Install it with two commands: /plugin marketplace add Raffa-jarrl/Lictor-AI then /plugin install lictor-security-suite@lictor-ai. The audit runs a 48-check catalog covering leaked keys, exposed configs, broken auth, and the rest of what gets apps breached.