The Vibe Coding Security Checklist: 15 Things to Fix Before You Ship

You've built something amazing with Cursor, Lovable, Bolt, or Replit. The demo works. Users are excited. But before you ship to production, there's a critical step most vibe coders skip: security.

AI-generated code is notorious for cutting corners on security. In our audits, we've found that 45% of AI-generated code contains at least one OWASP Top 10 vulnerability. Here's what to check before you launch.

1. Environment Variables and API Keys

The problem: AI tools often hardcode API keys directly in the codebase or client-side code.

What to check:

• Search your codebase for strings like sk_, api_key, secret, password
• Ensure all sensitive values are in .env files
• Verify .env is in your .gitignore
• Check that client-side code only uses NEXT_PUBLIC_ prefixed variables

# Quick check for exposed secrets
grep -r "sk_" --include="*.ts" --include="*.tsx" .
grep -r "api_key" --include="*.ts" --include="*.tsx" .

2. Supabase Row Level Security (RLS)

The problem: AI tools often create Supabase tables without enabling RLS, meaning anyone can read or modify any data.

What to check:

• Every table should have RLS enabled
• Policies should be defined for SELECT, INSERT, UPDATE, DELETE
• Test policies by trying to access data as different user roles

-- Check if RLS is enabled
SELECT tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public';

RLS misconfiguration is the single most common vulnerability in AI-built apps. If you're using Lovable specifically, we've documented the 5 security mistakes we find in every Lovable app.

3. Authentication Checks on API Routes

The problem: API routes often skip authentication, allowing unauthenticated users to access protected data.

What to check:

• Every API route that accesses user data should verify the session
• Use middleware for consistent auth checks
• Return 401 for unauthenticated requests, not 200 with empty data

// Good pattern for Next.js API routes
export async function GET(request: Request) {
  const session = await getServerSession();
  if (!session) {
    return new Response("Unauthorized", { status: 401 });
  }
  // ... rest of handler
}

4. Input Validation

The problem: AI-generated code often trusts user input implicitly, leading to injection attacks and crashes.

What to check:

• Validate all form inputs with Zod or similar
• Sanitise strings before displaying (prevent XSS)
• Validate types on API endpoints, not just the client

// Always validate on the server
const schema = z.object({
  email: z.string().email(),
  name: z.string().min(2).max(100),
});

const result = schema.safeParse(body);
if (!result.success) {
  return new Response("Invalid input", { status: 400 });
}

5. Rate Limiting

The problem: Without rate limiting, your API is vulnerable to abuse, spam, and denial of service.

What to check:

• Contact forms should be rate limited
• Authentication endpoints need aggressive rate limiting
• Consider rate limiting by IP and by user

6. CORS Configuration

The problem: AI tools often set CORS to allow all origins, meaning any website can make requests to your API.

What to check:

• Only allow your own domains
• Don't use Access-Control-Allow-Origin: * in production
• Be specific about allowed methods and headers

7. SQL Injection Protection

The problem: Raw SQL queries with string concatenation are injection goldmines.

What to check:

• Use parameterised queries or an ORM
• Never concatenate user input into SQL strings
• Supabase client handles this, but raw queries don't

// Bad
const query = `SELECT * FROM users WHERE id = '${userId}'`;

// Good
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('id', userId);

8. Error Message Exposure

The problem: Detailed error messages help attackers understand your system.

What to check:

• Don't expose stack traces to users
• Log detailed errors server-side, return generic messages client-side
• Never expose database structure or query details

9. Password Handling

The problem: AI sometimes implements custom password handling instead of using auth providers.

What to check:

• Use Supabase Auth, NextAuth, Clerk, or similar—never roll your own
• Ensure passwords aren't logged anywhere
• Implement password strength requirements

10. File Upload Security

The problem: Unrestricted file uploads can lead to malware hosting and storage abuse.

What to check:

• Validate file types (check MIME type, not just extension)
• Set maximum file sizes
• Scan uploads for malware if accepting executables
• Store files in separate storage, not your web server

11. Session Management

The problem: AI tools sometimes implement insecure session handling.

What to check:

• Sessions should have reasonable expiry times
• Use HTTP-only cookies for session tokens
• Implement proper logout (invalidate session server-side)
• Regenerate session IDs on login

12. HTTPS Everywhere

The problem: Mixed content or HTTP-only endpoints expose data in transit.

What to check:

• Ensure your production URL uses HTTPS
• Check for hardcoded HTTP URLs in your code
• Verify cookies have the Secure flag

13. Dependency Vulnerabilities

The problem: AI tools don't always use the latest, most secure package versions.

What to check:

• Run npm audit or yarn audit
• Update packages with known vulnerabilities
• Remove unused dependencies

npm audit
npm audit fix

14. Admin Routes Protection

The problem: Admin dashboards often lack proper authorization checks.

What to check:

• Admin routes should check for admin role, not just authentication
• Implement middleware to protect admin route groups
• Log admin actions for audit trail

15. Data Backup and Recovery

The problem: Without backups, a bug or attack could mean losing everything.

What to check:

• Enable automatic backups on your database
• Test restore procedures before you need them
• Consider point-in-time recovery for critical data

---

Next Steps

Found issues? Don't panic. Most of these fixes are straightforward once you know what to look for. Security is one piece of the puzzle — for everything else, check our full production readiness checklist.

But if you'd rather have experts handle it, that's literally what we do.

Book a free discovery call and we'll audit your app live, show you exactly what needs fixing, and give you a clear path to a secure launch—whether you work with us or not.