Will It Vibe logoWill It Vibe?
AUTHZ-019Medium severity-8 points

Authentication disabled by config flag

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A configuration flag turns authentication off (AUTH_ENABLED/REQUIRE_AUTH set to false, or skipAuth/bypassAuth/disableAuth set to true), leaving endpoints unprotected.

Why it matters

A config flag that disables authentication (auth set to off, or a skip/bypass flag set to on) removes access control for whatever it governs. These switches are meant for local development or tests, but when the flag or its default leaks into a deployed environment, endpoints that assume auth is present are wide open.

How to fix it

Make authentication on by default and ensure any bypass flag defaults to the secure value and can only be enabled in explicitly non-production environments. Better, gate the bypass on a development-only check so it cannot be turned on in production at all. Add a startup assertion that refuses to boot in production with auth disabled.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks