thumbnail

 AI code security audit for a Cursor-built client portal

A security review of an AI-built client portal uncovered a serious problem: any logged-in customer could have stumbled onto other customers’ private data. On top of that, a payment key was sitting out in the open, and a password reset link never expired once used. GetDevDone’s engineers tracked and resolved those issues before a single real customer used the app

Our client is an early-stage B2B SaaS company developing a customer-facing web application for paying users. 

Business challenge

The client built a fully functional customer portal with Cursor, an AI coding assistant, in just a few weeks. User authentication, a customer dashboard, Stripe payments, and an admin panel were all in place, and the application was nearly ready to welcome its first paying users.

Before launch, the client requested a professional security analysis of the application’s authentication flow, data access controls, Stripe integration, and handling of sensitive credentials. 

Automated scanning and manual code review uncovered three critical issues. Supabase row-level security wasn’t configured, meaning authenticated users could access data they shouldn’t. A Stripe secret key was exposed in a client-side component, and password reset tokens remained valid after they had been used. 

Solution delivered

The engagement followed a two-step process: identify every meaningful AI code security risk, then fix the issues that could block a safe production launch.

Automated scanning. The team analyzed both the codebase and staging environment using Snyk, SonarQube, and OWASP ZAP to identify vulnerable dependencies, common coding flaws, injection points, and missing security headers.

Manual code review. A senior engineer reviewed the authentication flow, data access patterns, API authorization, Stripe integration, and business logic. This uncovered three critical vulnerabilities that automated tools didn’t catch: missing Supabase row-level security (RLS), a Stripe secret key exposed in a client-side component, and password reset tokens that remained valid after use.

Prioritized security report. Every finding was documented, ranked by severity, and explained in plain language, including its location, business risk, and recommended fix. Critical findings covered data exposure, broken authentication, and exposed secrets. Lower-priority findings covered logging, error handling, and code cleanup. 

Remediation and verification. The GetDevDone AI engineering team fixed all critical and high-severity issues, then verified them through another round of automated scanning and manual review. Medium- and low-severity findings were documented for future implementation.

Project handoff. The client received the completed security report, confirmation that all critical and high findings had been resolved, and a roadmap for addressing the remaining recommendations over time.

AI_ 17.2. Security Review for a Cursor-Built Client Portal

Technologies & tools

  • Snyk: dependency vulnerability scanning
  • SonarQube: static code analysis
  • OWASP ZAP: dynamic application security testing against the live staging environment
  • Manual code review: authentication, data access, API authorization, and Stripe integration logic
  • Supabase row-level security (RLS): reconfigured to enforce per-user data access
  • Environment variables: moved exposed secrets out of client-side code and into secure server-side storage

Business benefits

The client launched with all critical and high-severity security issues resolved before the first paying customers gained access. Alongside the fixes, the team received a clear record of what had been resolved within the AI code security review, what remained for later, and where future reviews should focus. 

Verified security fixes

Every critical and high-severity fix was validated through a second round of automated scanning and manual review before go-live, leaving no room for assumptions.

Clear security priorities

Every finding was documented, ranked by severity, and explained with its impact and recommended fix, making it clear what required immediate attention and what could be addressed later.

Prioritized next steps

The client received a complete ranked audit report together with documented medium- and low-severity recommendations to guide future development. 

Rescue, remediate, rebuild

Get your AI website to production

Related posts

Take the next step

Talk to a commerce advisor to define the right architecture, platforms, and growth model for your business.
Get guidance on configuration, scalability, and compliance — tailored to your market and goals.