$ Security & bug audits for Cursor vibecoders

Don't ship bugs.Ship fast. Ship safe.

AI-powered security & bug checks for vibecoded apps — in under 5 minutes, directly inside Cursor.

One prompt. Instant audit. Cleaner code.

> Paste the prompt → Cursor finds the issues → you ship with confidence.

Get the Master Prompt See Example Report

◉No tools. No setup. Just prompts.

Security Audit — Example App (Next.js/React/PostgreSQL)

$

$ The real problem

Vibecoding is fun… until production breaks.

You build fast with Cursor, GPT, Claude… But then:

Auth endpoints are wide open

APIs and routes that should be protected aren't — easy to miss when you ship fast.

Weird edge case bugs appear

Nulls, race conditions, and async gotchas show up only after users hit them.

Secrets end up in your repo

Keys, tokens, or env patterns that shouldn't be committed slip through.

Stripe webhooks get abused

Missing validation or idempotency can lead to double charges or abuse.

Users find vulnerabilities before you do

Security and UX issues surface in production instead of before ship.

Dependencies ship known CVEs

Outdated or unpatched packages with public vulnerabilities slip into your bundle.

Most builders aren't security engineers. And traditional audits are slow, expensive, and overkill.

$ Real results

“Using these prompts I was able to find security vulnerabilities faster and get them fixed — which saved me a lot of headaches, money, and frustrated customers. So I thought: why not make this prompt available to others?”

$ The solution

Your security review, right in Cursor

A simple, battle-tested prompt system that turns Cursor into your personal security reviewer. Just drop it into your project and get:

Bug discovery

Cursor scans your codebase and surfaces real bugs and edge cases.

Security holes

Exposed routes, broken auth, missing rate limits — flagged before ship.

Unsafe patterns

Insecure cookies, session handling, and OWASP-style risks called out.

Fix suggestions

Concrete next steps and patches, not just a list of problems.

Checklist before shipping

A clear list so you know you're not shipping known issues.

Dependency & CVE awareness

Surfaces vulnerable or outdated packages so you can patch before deploy.

No tools. No setup. No consultants. Just vibes — but safe.

$ How it works

Four steps to safer code

Paste → Scan → Report → Ship. No tools, no subscriptions.

1

Paste the prompt into Cursor

We give you a ready-to-use audit prompt. No setup, no config — just paste.

2

Cursor scans your codebase with AI

It reviews auth, APIs, database access, frontend safety — everything that matters before ship.

3

You get a prioritized bug + security report

With fixes, severity levels, and next steps. Plain English, no jargon.

4

Ship with confidence

Stop guessing. Start shipping clean. Fix what matters before users find it.

Less guessing, more shipping — with confidence.

$ Features

What the Prompt Finds

Security, bugs, secrets, and fix suggestions — all in one audit.

Security Issues

Exposed API routes, broken auth flows, missing rate limits, insecure cookies & sessions, OWASP top risks.

GDPR & Compliance Checks

PII handling, consent flows, data retention, right-to-delete, and privacy leak risks flagged before ship.

Secret Leaks

Keys in env files, tokens in commits, unsafe config patterns.

Cursor-Optimized Fixes

Every issue comes with exact file references, fix prompt follow-ups, and copy/paste patch suggestions.

Payment & Webhook Safety

Stripe webhook validation, idempotency gaps, and double-charge or abuse risks flagged early.

Vulnerable Dependencies

Outdated packages, known CVEs, and unpatched libraries surfaced before you ship.

Code Bugs

Null edge cases, unsafe async logic, missing error handling, broken input validation.

One prompt. Your codebase. Actionable report.

$ Why us

Not just another security tool.

Other tools are built for enterprise security teams. DontShipBugs is built for vibecoders.

Made for Cursor workflows

Designed to run inside Cursor — no external scanners or dashboards.

No scanning setup

Paste the prompt and go. No API keys, no CI integration required.

Instant results

Get a report in minutes, not days or weeks.

Fun + practical

Built for vibecoders who want to ship fast without the fear.

Cheap enough for indie builders

One Master Prompt, one-time — no enterprise pricing.

If you ship with Cursor, this is for you.

$ What you get

One Master Prompt — everything included

One prompt that systematically audits your repo. No tool, no subscription.

DontShipBugs_Master_Prompt.pdf

Included in the prompt:

📋

Role & rules section

DontShipBugs™ as full-stack security auditor; strict rules (no hallucinated line numbers, only real vulnerabilities, prioritized by exploitability).

⚙️

Stack context

Placeholder for your stack (e.g. Next.js + Supabase + Stripe) — the prompt adapts.

📦

Step 1 — Dependencies & framework

package.json, lockfiles, next.config, middleware, Docker — vulnerable versions, dangerous packages.

🔑

Step 2 — Auth & access control

API routes, Server Actions, middleware, admin routes — missing auth checks, role bypass, session security.

💉

Step 3 — Injection & input

SQL, ORM raw(), eval, user input in server functions — parameterized queries, React2Shell.

🛡️

Step 4 — XSS & client

dangerouslySetInnerHTML, unsanitized markdown, CSRF for POST/PUT/DELETE, Origin/Referer.

🔒

Step 5 — Secrets & data exposure

Hardcoded keys, NEXT_PUBLIC leaks, logging sensitive data, .env in Git.

🌐

Step 6 — Infra, privacy & supply chain

CSP/headers, CORS, rate limiting, GDPR, over-fetching, Docker root, dependency audit.

📄

Output format

CRITICAL/HIGH/MEDIUM/LOW per finding, attack scenario + exact fix, summary table, Ship Readiness Verdict.

No tool. No subscription. Just results.

$ Example

See Example Report

See the kind of bug and security report you get from the DontShipBugs prompt — issues, severity, and fix suggestions.

Security Audit — Example App (Next.js/React/PostgreSQL)

Security Audit: Example App (Next.js/React/PostgreSQL)

CRITICAL (fix immediately)

────────────────────────────────────────────────────────────────────────────

1. Checkout / Create-Checkout: Open Redirect + missing auth

File: src/app/api/checkout/route.ts, create-checkout/route.ts

Issue: Routes unauthenticated; successUrl/cancelUrl from request passed to Stripe unchecked → open redirect/phishing.

Fix:

const allowedOrigins = [process.env.NEXT_PUBLIC_URL].filter(Boolean);
const finalSuccessUrl = successUrl && isUrlSameOrigin(successUrl)
  ? successUrl : `${process.env.NEXT_PUBLIC_URL}/dashboard?success=true`;
// + require session; tie userEmail to session user

2. User enumeration: email check without auth/rate-limit

File: src/app/api/user/check-user-email/route.ts

Issue: Anyone can check if email exists (existing: true/false) → account enumeration, GDPR risk.

Fix:

// Rate-limit (e.g. 5–10 req/min per IP)
// Uniform response so "account exists" isn't distinguishable
// Auth or restrict to registration flow only

3. Analytics track: userId from request body

File: src/app/api/analytics/track/route.ts

Issue: userId from body only → clients can spoof other users’ analytics.

Fix:

const session = await getServerSession();
if (!session?.user?.id) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
const userId = session.user.id;  // never from body

4. Next.js CVE-2025-66478 (React2Shell)

Issue: Verify project uses patched Next.js version.

Fix:

npx fix-react2shell-next
// Upgrade to patched 16.x / 15.5.7+ per advisory

HIGH (before next deploy)

────────────────────────────────────────────────────────────────────────────

5. No security headers (CSP, X-Frame-Options)

File: next.config.ts

Issue: Missing CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.

Fix:

async headers() {
  return [{ source: "/:path*", headers: [
    { key: "X-Frame-Options", value: "DENY" },
    { key: "X-Content-Type-Options", value: "nosniff" },
    { key: "Content-Security-Policy", value: "default-src 'self'; ..." },
  ]}];
}

6. Feedback API: no rate-limit, HTML/email injection

File: src/app/api/feedback/route.ts

Issue: No rate-limit; message/userEmail in HTML without escaping.

Fix:

// Rate-limit 3–5 req/hour per IP
const safeMessage = escapeHtml(message);
const safeEmail = escapeHtml(userEmail);
// validate userEmail (format, no newlines)

7. CORS Access-Control-Allow-Origin: *

File: analytics/track, uploads/[...path]

Issue: Any origin allowed; restrict to your app.

Fix:

Access-Control-Allow-Origin: process.env.NEXT_PUBLIC_URL
// or array of allowed origins

8. dangerouslySetInnerHTML (document only)

Issue: Currently JSON only — document; don’t add user input.

Fix:

// Comment in code: "Structured data only – no user input"

MEDIUM (this sprint)

────────────────────────────────────────────────────────────────────────────

9. No central validation (Zod/Joi)

Issue: API inputs not validated with schema.

Fix:

const BodySchema = z.object({ type: z.enum([...]), message: z.string().max(2000) });
const body = BodySchema.parse(await request.json());

10. Error details in API responses

Issue: Internal messages/stack can leak to client.

Fix:

const message = process.env.NODE_ENV === "production"
  ? "Something went wrong" : (error instanceof Error ? error.message : "…");

11. SVG upload/serving: XSS risk

Issue: SVG can contain scripts.

Fix:

// Sanitize SVG (strip script, on*) or serve as attachment

12. ReactMarkdown: unsafe href

Issue: javascript: in links.

Fix:

const safeHref = href && /^https?:\/\//i.test(href) ? href : "#";

13. getServerSession: toast on server

Issue: toast is client-only.

Fix:

// Remove toast from server; show after redirect via client

14. console.log with sensitive data

Issue: PII/URLs in logs.

Fix:

// Structured logger; no PII in prod

LOW / Best practice

────────────────────────────────────────────────────────────────────────────

15. Optional: middleware for auth

Fix:

// middleware.ts: protect /dashboard, /api/admin/*

16. robots.txt

Issue: Already good: /api/, /dashboard/ disallowed.

Fix:

—

17. Docker

Fix:

Don't run as root; don't expose 5432; .dockerignore .env

18. npm audit

Fix:

npm audit && npm audit fix

19. Secrets from env

Issue: Already good.

Fix:

—

20. Prisma $queryRaw

Issue: Parameterized; OK.

Fix:

—

What’s already good

────────────────────────────────────────────────────────────────────────────

Auth (better-auth, session, ban check); admin requireAdmin(); user routes getServerSession(); Stripe webhook signature; uploads path protection; no hardcoded secrets; React 19.2.3.

Summary: CRITICAL 4 | HIGH 4 | MEDIUM 6 | LOW 5

One prompt. One report. Safer code.

Stop hoping nothing breaks. Ship with confidence

$ One-time. No recurring fees.

Without DontShipBugs

€0

DIY — ship and hope nothing breaks.

No audit prompt
No security checklist
Manual bug hunting
Guessing what to fix before ship
Risk of shipping vulnerabilities

No purchase needed

Recommended

Security Audit Master Prompt

29,99 €

One-time. Instant download. Unlimited use.

One Master Prompt — full security + bug audit for your repo
Strict rules: no hallucinated line numbers, only real issues
6-step workflow: Dependencies → Auth → Injection → XSS → Secrets → Infra & Privacy
Output: CRITICAL/HIGH/MEDIUM/LOW with exploit scenario + exact fix per finding
Summary table + Ship Readiness Verdict · Cursor-ready · Updates included

I expressly agree that delivery of the digital content begins immediately and I acknowledge that I lose my right of withdrawal once access is provided.

Secure payment · Instant access

$ Frequently Asked Questions

Does this work with any stack?: Yes — especially Next.js, React, Node, Supabase, Stripe SaaS apps.
Is it just one prompt?: You get a full pack: audit + fixes + specialized modules.
Do I need security knowledge?: No — the prompt explains everything in plain English.
Is this a scanner tool?: Not yet — it's the fastest possible version: prompt-first, tool later.

Stop shipping bugs.

Your users will find them anyway. Let Cursor catch them first.

> Get DontShipBugs today and ship safer in minutes.

Get the Master Prompt See what's included

No subscription. Download once, use forever. Secure checkout.

Don't ship bugs.Ship fast. Ship safe.

Vibecoding is fun… until production breaks.

Auth endpoints are wide open

Weird edge case bugs appear

Secrets end up in your repo

Stripe webhooks get abused

Users find vulnerabilities before you do

Dependencies ship known CVEs

Your security review, right in Cursor

Bug discovery

Security holes

Unsafe patterns

Fix suggestions

Checklist before shipping

Dependency & CVE awareness

Four steps to safer code

Paste the prompt into Cursor

Cursor scans your codebase with AI

You get a prioritized bug + security report

Ship with confidence

What the Prompt Finds

Security Issues

GDPR & Compliance Checks

Secret Leaks

Cursor-Optimized Fixes

Payment & Webhook Safety

Vulnerable Dependencies

Code Bugs

Not just another security tool.

One Master Prompt — everything included

See Example Report

Example audit report

Stop hoping nothing breaks. Ship with confidence

$ Frequently Asked Questions

Stop shipping bugs.