Fix guide · critical · postgres_connection_string

Postgres connection string with credentials in client code

Why it matters

The string is full DB credentials. Anyone with it connects directly with the privileges of that role.

How to fix it

1. Rotate the database user's password. In Supabase / Neon / Railway / RDS console, reset the password for the role.
2. Move the connection string to server-side env vars only.
3. Network-restrict the database to allowed IPs.
4. For Neon, use the HTTP-over-Postgres endpoint via @neondatabase/serverless and a per-request token rather than direct connection from the browser.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.