惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
V
V2EX
WordPress大学
WordPress大学
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 司徒正美
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
A
Arctic Wolf
量子位
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
雷峰网
雷峰网
博客园_首页
Google Online Security Blog
Google Online Security Blog
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Hacker News: Front Page
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
TaoSecurity Blog
TaoSecurity Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
IT之家
IT之家
The Cloudflare Blog
爱范儿
爱范儿
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell

Vercel News

Vercel Open Source Program: Winter 2026 cohort How Notion Workers run untrusted code at scale with Vercel Sandbox How we run Vercel's CDN in front of Discourse From idea to secure checkout in minutes with Stripe Building Slack agents can be easy Scaling redirects to infinity on Vercel Advancing Python typing Gamma builds design-first agents with Vercel How Avalara turns pipe dreams into patent-pending with v0 Keeping community human while scaling with agents How OpenEvidence built a healthcare AI that physicians actually trust Security boundaries in agentic architectures Skills Night: 69,000+ ways agents are getting smarter Video Generation with AI Gateway We Ralph Wiggumed WebStreams to make them 10x faster How Stably ships AI testing agents in hours, not weeks How we built AEO tracking for coding agents Anyone can build agents, but it takes a platform to run them Introducing Geist Pixel The Vercel AI Accelerator is back with $6m in credits Making agent-friendly pages with content negotiation The Vercel OSS Bug Bounty program is now available Introducing the new v0 Run untrusted code with Vercel Sandbox, now generally available How Stripe built a game-changing app in a single flight with v0 How Sensay went from zero to product in six weeks AGENTS.md outperforms skills in our agent evals Agent skills explained: An FAQ Testing if "bash is all you need" AWS databases are now live on the Vercel Marketplace and v0 Use Perplexity Web Search with Vercel AI Gateway Introducing: React Best Practices Nick Bogaty joins Vercel as Chief Revenue Officer How Mux shipped durable video workflows with their @mux/ai SDK How to build agents with filesystems and bash How we made v0 an effective coding agent Stopping the slow death of internal tools Building AI-Generated Pixel Trading Cards with Vercel AI Gateway We removed 80% of our agent’s tools AI SDK 6 Our $1 million hacker challenge for React2Shell Cline now runs on Vercel AI Gateway How to prompt v0 Build smarter workflows with Notion and v0 Vercel launches partner certification Inside Workflow DevKit: How framework integrations work React2Shell Security Bulletin | Vercel Knowledge Base Billions of requests: Black Friday-Cyber Monday 2025 Investing in the Python ecosystem AWS Databases coming to the Vercel Marketplace How we built the v0 iOS app Workflow Builder: Build your own workflow automation platform Vercel Open Source Program: Fall 2025 cohort Self-driving infrastructure Vercel collaborates with Google for Gemini 3 Pro Preview launch Vercel: The anti-vendor-lock-in cloud How Nous Research used BotID to block automated abuse at scale How AI Gateway runs on Fluid compute What we learned building agents at Vercel Build and deploy data applications on Snowflake with v0 BotID Deep Analysis catches a sophisticated bot network in real-time Vercel achieves TISAX AL2 compliance to serve automotive partners Bun runtime on Vercel Functions David Totten Joins Vercel to Lead Global Field Engineering Vercel Ship AI 2025 recap You can just ship agents AI agents and services on the Vercel Marketplace Built-in durability: Introducing Workflow Development Kit Zero-config backends on Vercel AI Cloud Introducing Vercel Agent: Your new Vercel teammate Update regarding Vercel service disruption on October 20, 2025 Agents at work, a partnership with Salesforce and Slack Running Next.js in ChatGPT: How to Build ChatGPT Apps Talha Tariq joins Vercel as CTO of Security Just another (Black) Friday Server rendering benchmarks: Fluid Compute and Cloudflare Workers Towards the AI Cloud: Our Series F Collaborating with Anthropic on Claude Sonnet 4.5 to power intelligent coding agents Preventing the stampede: Request collapsing in the Vercel CDN BotID uncovers hidden SEO poisoning How we made global routing faster with Bloom filters What you need to know about vibe coding Scale to one: How Fluid solves cold starts Addressing security & quality issues with MCP tools - Vercel AI agents at scale: Rox’s Vercel-powered revenue operating system Agentic Infrastructure Zero Data Retention on AI Gateway Optimizing Vercel Sandbox snapshots How Waldium made a blog platform work for humans and AI alike How FLORA shipped a creative agent on Vercel's AI stack Agent responsibly Making Turborepo 96% faster with agents, sandboxes, and humans Unified reporting for all AI Gateway usage new.website joins forces with v0 SERHANT.'s playbook for rapid AI iteration Two startups at global scale without DevOps Chat SDK brings agents to your users 360 billion tokens, 3 million customers, 6 engineers Meet the 2026 Vercel AI Accelerator Cohort Build knowledge agents without embeddings
v0: vibe coding, securely - Vercel – Vercel
2025-08-04 · via Vercel News

5 min read

When code is written by AI, secure defaults must be the foundation, not a feature

Vibe coding has changed how software gets built. Tools like v0 make it possible to turn ideas into working prototypes in seconds. Anthropic's CEO predicts 90% of code will be AI-generated in 3-6 months. Adoption is accelerating fast, and for many builders, we're already there.

But here's the uncomfortable truth: The faster you build, the more risk you create

Last week, a viral app leaked 72k selfies and government IDs. This wasn’t a hack or advanced malware. It was caused by default settings, misused variables, and the absence of guardrails. A misconfigured Firebase bucket that was mistakenly left public for anyone to access. The app was built quickly, shipped without security review, and went viral.

More code will be written in the next few months alone than in the entire history of computers

Guillermo Rauch

When anyone can now build an app that goes viral, it’s more important than ever for those apps to be secure from the very first prototype. Leaked secrets, unsafe defaults and misconfigured access are no longer rare mistakes. They are the default without intervention.

This time it was just selfies and government IDs. Next time, it’s your credit card or medical records. The fact of the matter is, security is the defining issue in the world of vibe coding and AI-generated code.

v0 is the only platform built and proven to solve this problem. Since launch, v0 blocked over 100k insecure deployments on Vercel. Each one is a security incident that never happened.

The hard part isn't building fast anymore, it's staying secure at the same speed.

Link to headingWhat AI typically gets wrong

AI tools are trained to generate code that runs, not to make it secure. That distinction matters. LLMs confidently generate code that looks correct but quietly introduce serious vulnerabilities. These issues show up consistently across models, frameworks, and prompts.

They’re not rare. They’re everywhere.

Link to headingPublic variable misuse

In Next.js, any environment variable prefixed with NEXT_PUBLIC_ gets exposed to the browser. That’s by design. It’s how server-side config gets injected into the frontend. But LLMs misuse this by placing secrets, like database credentials and API keys, into these public variables.

// DON'T DO THIS

const databaseUrl = process.env.NEXT_PUBLIC_DATABASE_URL

That database URL is public. Anyone can view your page source and see it.

In the past 30 days, v0 blocked over 17k deployments on Vercel due to exposed secrets alone.

  • The top keys that would have been leaked included Google Maps, reCAPTCHA, EmailJS, and PostHog

  • Over a thousand people almost handed over the keys to their app by sharing their Supabase backend and database keys

  • A thousand more were ready to share their OpenAI, Gemini, Claude, and xAI keys. An incredibly easy way for someone to run up your AI utilization and cost you thousands

Link to headingSecrets in code

Many AI-generated projects take this a step further by including hardcoded secrets like this directly in the source files. These keys are scraped by bots in minutes. Developers don’t often realize the exposure until after incidents occur, if they even catch it at all.

Link to headingOther common patterns

  • Missing input sanitization: Unsafe user input gets passed directly into model prompts, opening the door for prompt injection attacks

  • No environment separation: Generated code rarely differentiates between dev and prod environments, leading to misconfigured services and accidental access leaks

  • Sensitive data in logs: Debug logs often contain auth tokens, user IDs, or API keys written without redaction or retention policy

These are not advanced attack vectors. These are common, beginner mistakes being generated daily, often without the developer realizing the risk. And they won’t go away with better prompting.

Link to headingReal example: AI agent database deletion

In a recent incident, an AI agent made a "catastrophic error in judgement", deleting an apps entire production database. It ignored explicit "no changes without permission" directives and responded with fabricated explanations, claiming success until the issue was discovered.

This was not a malicious actor. It was the result of an overly confident AI without clear boundaries. Incidents like this are becoming more common as teams experiment with autonomous agents and production-connected workflows.

This issue will only grow as security reviews fall behind the speed and volume of AI-generated code. With AI models being trained on public code, much of which is insecure, outdated, or misconfigured, the solution lies in secure defaults and sensible guardrails built into the tools that generate and deploy your code without slowing you down.

Link to headingWhat v0 does that others don't

v0 is trained on modern best practices for popular frameworks like Next.js, and applies security checks during generation and before deployment. These checks are automated, context-aware, and applied consistently across every project.

Secure generation:

  • Secrets exposed in client-side code or public repositories

  • Misuse of NEXT_PUBLIC_ variables that leak production credentials

  • Tokens or session data written to logs

  • Prompt injection risks from unsanitized user input

  • Misconfigured third-party API integrations

  • Unsafe defaults for authentication, routing, and database access

Quantified impact:

  • Over 17k insecure deployments blocked in July alone

  • Most common issues: Exposed API keys, NEXT_PUBLIC_ misuse, unauthenticated API routes

Fast is meaningless if you can't trust what you ship.

Link to headingLayered protection from prompt to deployment

Deploying with v0 means your apps live on Vercel, benefiting from our hardened platform-level controls.

Link to headingDeployment control

  • Preview protection: Preview deployments can be restricted with password or SSO

  • Opt-in sharing: v0 ensures preview links are private unless explicitly shared

  • Environment safeguards: Vercel blocks deployments from forks that modify environment variables without approval

  • Deploy blocks: Security vulnerabilities are flagged and require review before deploy

  • Access control: Role-based permissions define who can view, edit, and deploy

  • Audit logging: All deploys and environment changes are recorded and reviewable

Together, v0 and Vercel enforce deploy-time protections that catch risky changes before they reach production.

Link to headingSecure inference

v0 apps use Vercel AI Gateway to call models securely without exposing credentials.

  • Centralized auth and routing: Routes requests to any providers with retry and failover support

  • Scoped credentials: Provider tokens are stored securely and used server-side only

  • Short-lived tokens: Short-lived OIDC tokens are scoped per project

  • Rate limiting: Built-in throttling and observability help prevent overuse and abuse

Model usage is centralized, and secured so inference does not become an attack surface.

Link to headingPlatform-level security

  • DDoS and firewall protection: Vercel Firewall blocks over 4.4 billion malicious requests and bots per month before they reach your application

  • Isolated functions: Each function runs in its own secure container with controlled network access

  • Secure environment encryption: AES-256 encryption with secure vault system

  • Compliance standards: SOC 2 Type 2, ISO 27001:2022, GDPR, PCI DSS, HIPAA

Link to headingThe path forward

Vibe coding has made building faster than ever. Speed is no longer the problem. Security is. And as teams have started to realize, it can’t be treated as a separate step.

We’ve seen what happens when small oversights scale. Thousands of apps ship every week with vulnerabilities, often without the author realizing it.

Secure has to be the default from the start, without slowing you down or having to think about it. Whether you're vibe coding an idea or a developer rushing to meet a deadline, secure code generation and practical guardrails ensure you get the same security analysis as the most experienced engineers.

The future of development is fast, AI-assisted, and secure by default.

Ready for secure, AI-powered development?

From idea to secure deployment in minutes. No security expertise required.

Get started with v0