Descriptions:
Chris Raroque, an iOS and React developer with over a decade of experience, covers the most critical security vulnerabilities appearing in apps built quickly with AI coding tools like Cursor and Claude Code — drawing directly from a personal incident where his calorie-tracking app was hacked. The core focus is Row Level Security (RLS) misconfiguration in Supabase and Firebase, which Raroque identifies as the root cause behind the vast majority of high-profile vibe-coded app data breaches.
The RLS section explains why Supabase and Firebase’s direct-to-database client architecture is convenient but catastrophic when policies are set incorrectly. Raroque traces the history back to Firebase’s original default-open security rules and the mass breaches that followed. In his own case, storing subscription status and rate limit data on the same user-writable Supabase table allowed attackers to escalate their own privileges — even after having Claude and Cursor review the configuration.
The second major topic is backend rate limiting: why frontend limits are trivially bypassed through direct endpoint access, and how to implement per-user counters at the server layer. Additional guidance covers secure field separation and using AI assistants to audit existing policies. The video is grounded in real incidents rather than theoretical risk and is particularly relevant for solo developers shipping SaaS products with AI-generated code. WhisperFlow, a voice-to-text tool with native Cursor and Windsurf integrations, sponsors the video.
📺 Source: Chris Raroque · Published March 16, 2026
🏷️ Format: Troubleshooting
