Brandon Hancock, an experienced software engineer and AI-focused developer, performs a live audit of a fast-built AI SaaS. He uncovers exposed Supabase keys, row-level security gaps, and architecture mistakes. Short fixes and practices like moving clients to the backend, using server actions, managing migrations, and codifying AI task templates are discussed.
44:26
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
volunteer_activism ADVICE
Never Ship Frontend Supabase Keys
Avoid exposing Supabase client keys in frontend code to prevent attackers from creating users or reading unprotected tables.
Brandon grabbed Craig's public Supabase key via exposed client and read data from tables that lacked row-level security, demonstrating the risk.
volunteer_activism ADVICE
Enable Row Level Security On All Tables
Implement strict row-level security on every table so a leaked anonymous key can't read or modify others' data.
Brandon found most tables had RLS but two (leads and another) did not, which allowed him to read user data.
volunteer_activism ADVICE
Keep Private Database Logic On The Server
Move private Supabase operations to backend/server-side code and keep only public data logic in the client.
Brandon's one-file fix was deleting the client-side Supabase usage and routing actions through server endpoints to hide keys.
Get the Snipd Podcast app to discover more snips from this episode
This week on the Rogue Startups, Craig gets roasted. He brought in experienced software engineer Brandon Hancock after building the AI-powered SaaS app Outlier largely through “vibe coding,” so Brandon could audit the entire codebase live during the episode. The result? An honest but useful breakdown of what happens when non-technical founders ship fast with AI tools.
Brandon digs into real security risks, common architecture mistakes, and the best practices every founder should follow when building AI-driven products. If you’re launching SaaS with tools like Next.js, Supabase, and Claude, or simply adding AI features to your existing product, this episode offers practical lessons on building faster without accidentally breaking everything.
Check the episode out on YouTube to see Brandon dig through Craig’s code onscreen.
Highlights from Craig and Brandon’s conversation:
What “vibe coding” looks like when building a real production startup
How a single exposed Supabase key can create major security risks
Why row-level security is critical for protecting user data
Using AI to audit code and uncover vulnerabilities in minutes
Simple fixes that dramatically improve SaaS security
Why many AI code review tools miss critical issues
The danger of exposing backend clients in frontend code
How server actions can replace many API endpoints
Best practices for managing database migrations with Drizzle ORM
Why staging environments save founders from catastrophic production mistakes
The difference between moving fast and building responsibly
How to structure AI documentation for better development workflows
Using task templates to teach AI your coding standards
Practical lessons for founders building SaaS products with AI tools
If you feel like Rogue Startups has benefited you, and it might benefit someone else, please share it with them. If you have a chance, give Rogue Startups a review on iTunes.
Do you have any comments, questions, or topic ideas for future episodes? Feel free to reach out to me:
Rogue Startups