Peer-to-peer fashion marketplace
Stack
Base44, Stripe, JWT sessions, RLS
Primary finding
23 findings across checkout, RLS, auth, sessions, and platform exposure
Outcome
Critical checkout and data-access issues were fixed and verified, securityheaders.com improved from F to A, RLS was enabled on all six tables, and price tampering was confirmed blocked.
Background
A founder building a peer-to-peer fashion marketplace on Base44 reached out ahead of launch. The app had been built almost entirely with AI assistance and was close to going live with real users and real payments. She wanted to know whether it was actually secure before putting buyers and sellers on it.
This is becoming increasingly common: non-technical founders using AI code builders to ship fast, then realizing security was not part of the process. The app looked polished. Underneath, it had gaps that would have caused serious damage in production.
Scope
The engagement covered a full penetration test of the live application, manual code review of backend functions, Base44 platform scanner analysis, Row-Level Security configuration, Stripe payment-flow testing, session and token security, HTTP security headers, remediation, and direct verification.
What we found
The audit produced 23 findings across four severity levels. The most serious issues were unauthenticated Stripe checkout, missing Row-Level Security across six tables, checkout price tampering, exposed seller Stripe account IDs, a live API key in platform documentation, and a client-side order creation bypass.
The checkout issue was especially severe. The backend built Stripe line items directly from client-supplied price values. Sending a one-cent price for a $69 item generated a valid Stripe checkout session at one cent. Any buyer could have purchased an item for an arbitrary price.
The Row-Level Security issue was confirmed with two test accounts. Listings, cart items, saved listings, skipped listings, orders, and reviews were readable and writable by authenticated users regardless of ownership. Cross-account deletion of another user’s listing returned HTTP 200 before remediation.
What we fixed
Every finding was either remediated through code and configuration changes or documented as a Base44 platform limitation with recommendations for the client to raise directly with the platform. Fixes were verified through direct exploit testing, not just code review.
Authentication was added to checkout and confirmed with unauthenticated requests returning 401. RLS was configured across all six tables and retested with cross-account read and delete attempts. Checkout was rewritten to fetch listing prices server-side, ignoring client-supplied price values entirely. A tamper test using a one-cent price for a $69 item returned a Stripe session at the real $69 price.
The User table was locked down to protect Stripe account IDs. X-Frame-Options and Permissions-Policy were enabled, moving the app from an F to an A on securityheaders.com. A Stripe open redirect was fixed by replacing the client-controlled Origin header with a hardcoded application URL. The API key exposure was reported urgently and rotated by the client the following day.
Results
Before remediation, securityheaders.com returned an F; after remediation, it returned an A. Tables with RLS improved from 0 of 6 to 6 of 6. Checkout authentication moved from unenforced to enforced. Price tampering moved from exploitable to blocked. Cross-account data access moved from confirmed exploitable to confirmed blocked.
How verification worked
Every fix was verified through direct testing. RLS fixes were confirmed with cross-account delete and read requests between separate test accounts. Price tampering was confirmed by intercepting a live checkout request, changing the price to $0.01, forwarding it, and observing Stripe render the real database price. Authentication was confirmed by stripping the Authorization header and observing a 401 response.
The API key finding was discovered incidentally while investigating Base44 session configuration options. It was reported immediately, before the formal report was delivered, because confirmed high-impact findings should reach the client as soon as they are understood.
Notes for founders building on AI code platforms
Apps built with AI assistance can reach production quality fast. Security does not follow automatically. The app’s surface area was defined by the platform, but the security posture was defined by what the developer configured. Base44 provides infrastructure for RLS, but it has to be turned on. Authentication has to be added to functions explicitly. Stripe prices have to be fetched server-side by choice.
None of these are things an AI code builder will reliably flag unprompted. They require someone who understands what an attacker would try, not just what the app is supposed to do.
Back to case studies
