Security Checklist Before Shipping Vibe-Coded Apps

'Vibe coding'—building applications rapidly with AI assistance, accepting suggestions, moving fast—has become the new normal. You can go from idea to deployed app in hours. But speed creates risk. AI assistants optimize for working code, not secure code. Before you ship that vibe-coded app to users, run through this security checklist.

This isn't about slowing you down. It's about spending 30 minutes now to avoid a security incident later. Let's go through what to check.

Authentication & Authorization

Check: Are passwords hashed with bcrypt, Argon2, or scrypt? AI often suggests MD5, SHA-1, or even plaintext storage. Look for: password, hash, crypto in your codebase. Red flag: anything using md5() or sha1() for passwords.

Check: Is there rate limiting on login attempts? Without it, attackers can brute-force passwords indefinitely. AI rarely adds rate limiting unless asked. Look for login endpoints and verify limits exist.

Check: Are authorization checks on every protected route? AI might add auth to /admin but forget /admin/users/delete. Verify every endpoint that should require authentication actually checks it.

Check: Are session tokens cryptographically random? Look for Math.random() in token generation—it's predictable. Should use crypto.randomBytes() or equivalent.

Secrets & Configuration

Check: Are there hardcoded secrets in the codebase? Search for: apiKey, api_key, secret, password, token, AWS_, STRIPE_. AI loves suggesting placeholder keys that look real. Every secret should come from environment variables.

Check: Is .env in .gitignore? This seems obvious but gets missed. Run the following command to check if secrets were ever committed:

git log --all --full-history -- .env

If any results appear, rotate those secrets—they're in git history forever.

Check: Are production secrets different from development? AI might have you using the same Stripe key everywhere. Verify production uses production credentials.

Input Validation & Injection

Check: Are all database queries parameterized? Search for template literals or string concatenation in SQL queries. This pattern is vulnerable:

// VULNERABLE - Don't do this!
SELECT * FROM users WHERE id = ${userId}

Must use prepared statements instead.

Check: Is user content escaped before rendering? Look for dangerouslySetInnerHTML, innerHTML, v-html. If these use user input, you have XSS. Escape or use DOMPurify.

Check: Are file paths validated? Any code that uses user input in file paths (uploads, downloads) needs path traversal protection. Look for path.join with user input—add path.resolve and boundary checks.

Check: Are URLs validated before redirect? Open redirect vulnerabilities let attackers send users to malicious sites. Verify redirect URLs against an allowlist.

API Security

Check: Is CORS configured correctly? Look for origin: '*' or Access-Control-Allow-Origin: *. This allows any website to make requests to your API. Set specific allowed origins.

Check: Is there rate limiting on API endpoints? Without limits, attackers can scrape data, enumerate users, or exhaust resources. Add rate limiting to all public endpoints.

Check: Do API errors leak information? Detailed error messages help attackers. In production: generic errors to users, detailed logs server-side. Check that stack traces aren't returned in responses.

Dependencies

Check: Run npm audit (or equivalent). AI might have suggested packages with known vulnerabilities. Fix or replace vulnerable dependencies before shipping.

Check: Verify AI-suggested packages exist and are legitimate. Check npmjs.com: When was it created? How many downloads? Who's the publisher? New packages with few downloads are suspicious.

Check: Is package-lock.json committed? Lockfiles ensure consistent installs. Without them, you might get different (vulnerable) versions in production.

Transport Security

Check: Is the app served over HTTPS? AI development happens on localhost (HTTP). Verify your production deployment forces HTTPS. Check for HSTS headers.

Check: Is SSL/TLS verification enabled? Search for rejectUnauthorized: false or NODE_TLS_REJECT_UNAUTHORIZED = 0. These disable certificate validation—remove before production.

Check: Are security headers set? Content-Security-Policy, X-Frame-Options, X-Content-Type-Options. Use a middleware like helmet.js for Node.js.

Data Protection

Check: Is sensitive data logged? Search logs for patterns that might contain passwords, tokens, or PII. AI often adds verbose logging that captures everything.

Check: Are database backups encrypted? Check your database hosting configuration. Backups containing user data should be encrypted at rest.

Check: Is there a data retention policy? Do you really need to keep all that data forever? Less data stored = less data at risk.

Quick Scan Commands

Run these commands to quickly check for common issues:

Find hardcoded secrets:

grep -r 'api_key\|apiKey\|secret\|password' --include='*.js' --include='*.ts' | grep -v node_modules

Find SQL injection risks:

grep -r 'SELECT.*\$\|INSERT.*\$\|UPDATE.*\$' --include='*.js' --include='*.ts'

Find XSS risks:

grep -r 'dangerouslySetInnerHTML\|innerHTML\|v-html' --include='*.jsx' --include='*.tsx' --include='*.vue'

Check dependencies:

npm audit

The 5-Minute Security Check

If you only have 5 minutes, check these five things: 1) No hardcoded secrets in code, 2) npm audit shows no high/critical vulnerabilities, 3) All database queries use parameterized statements, 4) CORS isn't set to *, 5) HTTPS is enforced in production.

These five checks catch the majority of AI-generated vulnerabilities. If you pass these, you've addressed the most critical risks.

Conclusion

Vibe coding is powerful—you can build things faster than ever. But speed without security review is a recipe for breaches. This checklist isn't exhaustive, but it catches the vulnerabilities that AI most commonly introduces.

Make this checklist part of your deployment process. The 30 minutes you spend reviewing security could save you weeks of incident response. Ship fast, but ship secure.

Resources

• OWASP Web Security Testing Guide

• npm audit documentation - docs.npmjs.com/cli/audit

• Mozilla Observatory - observatory.mozilla.org