What does Securisky scan?

Securisky scans your live deployed app across 6 categories: security (API key exposure, CORS, headers, Firebase/Supabase misconfiguration), SEO, UX, performance, accessibility, and conversion rate optimization. Results arrive in under 2 minutes.

Yes. The free plan includes 3 scans per month with a full security grade (A–F), top findings, and one AI fix prompt. No credit card required.

Does Securisky work with apps built with Cursor, Lovable, or Bolt?

Yes. Securisky is specifically designed for vibe-coded apps built with AI tools like Cursor, Lovable, Bolt, v0, and Replit. These apps commonly have exposed API keys, disabled database security rules, and missing security headers — all of which Securisky detects automatically.

How does Securisky fix security issues?

For every issue found, Securisky generates an AI-ready fix prompt that you can paste directly into Cursor, Claude, or ChatGPT. It also provides ready-to-use code snippets in TypeScript, SQL, and JSON.

What is a security grade?

Securisky assigns a letter grade (A to F) and a score from 0 to 100 based on findings across security, SEO, UX, performance, accessibility and conversion. Grade A means 90+, Grade F means below 40.

Security Guides

Next.js Middleware Auth: The 7 Access Control Bugs AI Tools Commonly Generate

SecuriSky TeamApril 18, 202612 min read

Introduction to Next.js Middleware Auth Bugs

Next.js middleware auth is a powerful feature for handling authentication and authorization in Next.js applications. However, AI tools like Cursor, Lovable, Bolt, v0, or Replit often generate code with access control bugs. What are the most common access control bugs in Next.js middleware auth generated by AI tools? The seven most common bugs are: incorrect role-based access control, missing authentication checks, improper error handling, insecure direct object references, lack of input validation, cross-site scripting (XSS) vulnerabilities, and insufficient logging.

Incorrect Role-Based Access Control

Incorrect role-based access control occurs when the AI tool generates code that fails to properly check user roles, allowing unauthorized access to sensitive data or functionality. For example, consider the following code:

// middleware.js
export default async function middleware(req) {
  if (req.user.role === 'admin') {
    return NextResponse.next();
  }
  // missing check for other roles
  return new Response('Unauthorized', { status: 401 });
}

In this example, the code only checks for the 'admin' role, but fails to check for other roles, such as 'moderator' or 'user'.

Missing Authentication Checks

Missing authentication checks occur when the AI tool generates code that fails to verify user authentication, allowing unauthorized access to sensitive data or functionality. For example, consider the following code:

pages/api/example.py
from fastapi import APIRouter
router = APIRouter()

@router.get('/')
async def example():
  # missing authentication check
  return {'message': 'Hello, World!'}

In this example, the code fails to check if the user is authenticated before returning sensitive data.

Improper Error Handling

Improper error handling occurs when the AI tool generates code that fails to handle errors properly, potentially revealing sensitive information or allowing unauthorized access. For example, consider the following code:

// api/example.js
export default async function example(req) {
  try {
    // code that may throw an error
  } catch (error) {
    // improper error handling
    return new Response(error.message, { status: 500 });
  }
}

In this example, the code catches an error but returns the error message, potentially revealing sensitive information.

Insecure Direct Object References

Insecure direct object references occur when the AI tool generates code that allows unauthorized access to sensitive data or functionality by manipulating object references. For example, consider the following code:

// Example.java
public class Example {
  public String example(String id) {
    // insecure direct object reference
    return Datastore.getInstance().get(id);
  }
}

In this example, the code uses a direct object reference to retrieve data from the Datastore, potentially allowing unauthorized access.

Lack of Input Validation

Lack of input validation occurs when the AI tool generates code that fails to validate user input, potentially allowing unauthorized access or malicious activity. For example, consider the following code:

// api/example.js
export default async function example(req) {
  const { name } = req.body;
  // missing input validation
  return { message: Hello, ${name}! };
}

In this example, the code fails to validate the name input, potentially allowing malicious activity.

Cross-Site Scripting (XSS) Vulnerabilities

Cross-site scripting (XSS) vulnerabilities occur when the AI tool generates code that allows an attacker to inject malicious code, potentially stealing user data or taking control of the application. For example, consider the following code:


{{ user_input }}

In this example, the code uses user input directly in the HTML, potentially allowing an attacker to inject malicious code.

Insufficient Logging

Insufficient logging occurs when the AI tool generates code that fails to log important events or errors, making it difficult to detect and respond to security incidents. For example, consider the following code:

// api/example.js
export default async function example(req) {
  try {
    // code that may throw an error
  } catch (error) {
    // insufficient logging
    console.error(error);
  }
}

In this example, the code logs the error to the console, but fails to log important events or errors to a centralized logging system.

To detect these access control bugs automatically, developers can use tools like SecuriSky, which provides a comprehensive security scanner for AI-built applications. By using SecuriSky, developers can identify and fix these bugs before they become major security incidents.

Quick Fix Checklist

[ ] Verify role-based access control checks are correct and comprehensive

[ ] Add authentication checks to all sensitive endpoints

[ ] Implement proper error handling to prevent information disclosure

[ ] Use indirect object references to prevent insecure direct object references

[ ] Validate all user input to prevent malicious activity

[ ] Use a centralized logging system to log important events and errors

[ ] Use a security scanner like SecuriSky to detect access control bugs automatically

Try it free

Scan your app for these issues now

Paste your URL and get a full security, performance, and SEO report in under 2 minutes — no signup required.

Run a free scan

Security

AI App Security Scanner

Compare

Securisky vs Snyk

Pricing

Plans & Pricing

Back to Blog