Base44 Review — from the engineers who audit Base44 apps
Fast prototyping, expensive lock-in. After the Wiz disclosure and the February 2026 outage, audit before scaling and have an exit plan.
Pros
- Genuinely capable AI for prompt-to-fullstack apps
- Fast iteration speed for non-developers
- Recently patched the platform-level vulnerabilities Wiz disclosed
- GitHub sync available on paid tiers
Cons
- Backend is fully proprietary — no portability without a rebuild
- Role permissions default to 'everyone can view' on data types that should be admin-only
- Manually-configured RLS rules silently disappear after every redeploy
- Public API endpoints have shipped without auth on multiple apps
- Feb 3, 2026 platform-wide outage stranded thousands of apps
Base44 is good for
- Non-technical founders prototyping fast
- Internal tools where lock-in is acceptable
- Anyone testing an idea before committing real engineering
Base44 is the wrong call for
- Production SaaS with real users or PII
- Apps requiring SOC 2, HIPAA, or other compliance
- Founders who can't afford a platform-imposed outage
What we find when we audit Base44 apps
These are the issues we've documented from real audits and primary-source security research. Most ship to production by default.
JWT passed to apps via URL
Wiz and Imperva disclosed that Base44 passed the user's main account JWT to apps via the URL, and apps could run arbitrary JS. Any app developer could harvest tokens for full account takeover.
Open redirect leaking access tokens
Confirmed by Imperva's research. Tokens leaked via redirect chains.
Stored XSS in app-generated content
Base44 didn't sanitize user-supplied HTML in entity fields, allowing stored cross-site scripting.
Client-side-only enforcement of premium features
Paid features could be unlocked by editing the client. Backend validation absent.
Entity schema files excluded from 'Freeze Files'
The AI agent overwrites manually-configured RLS rules during publish. Rules silently disappear after every redeploy.
Public API endpoints bypassing auth
Wiz researchers found enterprise app endpoints accessible without authentication.
The real cost of Base44
Free trial exists, but credits compound fast in fix-loops. GitHub sync requires paid tier — meaning the lower-tier user has zero escape route during outages. The starter plan looks reasonable until you hit AI credit limits debugging the same bug for the third time.
Founders who've worked with us on Base44
Jacob has been absolutely fantastic to work with, his communication style and web development knowledge are top notch. He helped me migrate two of my apps off of Base44 in a breeze.
Base44 FAQs
- Is Base44 legit?
- Yes. Base44 is a real platform, acquired by Wix, with thousands of active users. The Wiz/Imperva disclosures (JWT-via-URL, open redirect, stored XSS) were patched at the platform level. The outstanding risk isn't whether the platform is legit — it's whether individual apps shipping on it are production-ready, which usually requires an audit.
- Is Base44 safe to use?
- Platform-level safety is acceptable post-patches. App-level safety is not the platform's responsibility. Base44 ships apps with default 'everyone can view' permissions, RLS rules that get overwritten on redeploy, and public API endpoints that frequently bypass auth. We audit Base44 apps for these patterns before they go live.
- Is Base44 free?
- There's a free trial. Real usage requires a paid plan. Source-code export and GitHub sync are paid-tier only — which means without paying you have no fallback if the platform goes down (as it did Feb 3, 2026).
- Is Base44 good for production apps?
- For prototypes and internal tools, yes. For production apps with real users, money, or compliance needs — only after a manual security audit and ideally with a migration plan ready. The proprietary backend is the biggest production risk.
Built something with Base44? Let us audit it.
Senior engineer review of your Base44 app. From $300.