Miguel Feliciano
Resume
Miguel Feliciano

Miguel Feliciano

hello@miguelfeliciano.com

← Back to Blog

I Reviewed AI-Built SaaS Apps — Here's What They All Got Wrong

Cover Image for I Reviewed AI-Built SaaS Apps — Here's What They All Got Wrong

The promise of AI-assisted development is real. You can spin up a full-stack SaaS app in a weekend now — auth, payments, database, API — with Cursor or Claude doing the heavy lifting while you steer the product decisions.

I have watched people do it. I have done it myself. It is genuinely impressive how far you can get in a short amount of time.

And then I started reviewing these apps before they launched, and I found the same problems in almost every single one.

The Pattern

AI coding tools are excellent at generating code that works in the happy path. They are much less good at thinking adversarially — at asking what happens when a malicious user probes your auth flow, or what your Stripe webhook handler does when it receives an event you did not expect, or whether your environment variables are actually staying out of your repository.

This is not a criticism of the tools. It is a structural limitation of how they work. They write code that satisfies the prompt. Security, hardening, and edge-case handling are concerns that live outside most prompts.

So the developer ships an app that works great in testing and has a critical vulnerability they never knew about.

The Five Categories That Break Everything

After reviewing multiple AI-built apps, the problems cluster into a small number of categories. Almost every app had at least two of these. Several had all of them.

Authentication. The most common issue is incomplete auth coverage — an API route that should require authentication but does not, because the developer added it after setting up auth and forgot to protect it. The second most common is session handling that does not properly invalidate tokens on sign-out. Both of these are invisible during normal testing because you are always testing as yourself, authenticated.

Stripe and payment flows. AI-generated Stripe integrations almost always handle the happy path correctly and botch the edge cases. What happens if a customer's payment fails mid-subscription? What if a webhook arrives twice? What if the checkout session expires before the user completes payment? These scenarios are rare enough that they never come up in development and common enough to cause serious problems in production.

Webhook security. This is the single most consistently missed item across every app I have reviewed. Webhooks need to be verified — you need to validate that the incoming request actually came from Stripe (or whichever service is sending it), not from someone who figured out your endpoint URL. The verification code is simple. The consequences of missing it are not.

Environment variable handling. Secrets in the repository, development keys in production, production keys in development — all of these happen more often than they should. AI tools generate code that uses environment variables correctly, but they do not audit whether the variables themselves are being managed safely.

Error handling and information disclosure. Stack traces and verbose error messages are useful in development. In production, they are a roadmap for anyone looking to probe your app. Default error handling from AI-generated code tends to be too verbose for production use.

Why This Matters More for AI-Built Apps

You might be thinking that experienced developers make the same mistakes. They do. But experienced developers also tend to have a checklist — either formal or informal — of things they verify before they ship. They have been burned before.

The developers shipping AI-built apps quickly are often doing so without that scar tissue. They got an app working faster than they ever have before, they are excited about it, and the impulse is to launch while the momentum is there. The security audit feels like something for later.

Later is always too late.

What I Built for This

I put together an audit framework specifically for AI-built SaaS apps — I call it SHIP-SAFE. It is a structured checklist that covers every category above plus a few more: database access patterns, CORS configuration, rate limiting, and the specific Stripe webhook verification pattern that almost no AI-generated code gets right out of the box.

The AI-Built SaaS Launch Audit Kit is $49 and it will walk you through a complete pre-launch security review of your app. It is built for developers who are shipping fast and want to make sure they are not launching a time bomb.

If you have an AI-built app in the pipeline, run this before you flip the switch. The things it catches are not hypothetical — they are the things that have caused real incidents in real apps.

The One Thing to Do Right Now

If you have an AI-built app in production or close to launch, go check your webhook handler. Specifically: are you verifying the webhook signature before processing the payload?

In Stripe, this means calling stripe.webhooks.constructEvent() with the raw body and the Stripe-Signature header. If your handler processes the event before doing that verification, you have an unprotected endpoint that anyone can POST to.

That one fix will not cover everything. But it is the most common critical issue I find, and it takes about ten minutes to address.

Fix the webhook. Then do the rest of the audit before you launch.