Security checklist for vibe coders
Last updated: March 16, 2026 · Written by the RepoVault Security Team
A security checklist for vibe coders is a practical, ordered list of security checks that developers using AI coding assistants should run before shipping their applications to production. Vibe coding — building apps with tools like Cursor, Bolt, Lovable, and v0 — prioritizes speed over security, which means vulnerabilities are shipped alongside working features. This checklist covers the 15 most critical items.
According to a Stanford University study, developers using AI coding assistants produced significantly less secure code compared to those coding manually. A Snyk report found 92% of applications contain at least one open-source vulnerability.
The checklist
Copy this checklist and check off each item before every production deployment.
1. Remove hardcoded API keys from frontend code
Risk: Anyone can open DevTools and steal your API keys. GitGuardian reports over 12.8 million secrets leaked on GitHub in 2023 — a 28% increase year-over-year.
Fix: Move all secrets to environment variables. Use NEXT_PUBLIC_ prefix only for values safe to expose. Everything else goes server-side.
2. Enable Row Level Security (RLS) on all Supabase tables
Risk: Without RLS, any authenticated user can query every row in your database. This is the #1 Supabase misconfiguration.
Fix: Enable RLS on every table. Write policies for SELECT, INSERT, UPDATE, and DELETE operations. Test by querying as a non-owner user.
3. Add rate limiting to all API routes
Risk: Without rate limits, a single script can drain your API credits, spam your database, or take your app offline. The OWASP API Security Top 10 lists unrestricted resource consumption as a critical risk.
Fix: Add rate limiting middleware to every API endpoint. Use sliding-window or token-bucket algorithms. Limit by IP and by authenticated user.
4. Validate and sanitize all user inputs
Risk: Unsanitized input is the root cause of SQL injection, XSS, and command injection — three of the OWASP Top 10 vulnerabilities. SQL injection alone is responsible for over 33% of web application attacks.
Fix: Use parameterized queries for all database operations. Validate input types and lengths. Escape output when rendering user-generated content.
5. Add CSRF protection to all forms
Risk: Without CSRF tokens, attackers can forge requests from other websites using your users' session cookies.
Fix: Use your framework's built-in CSRF protection. In Next.js, use API routes with proper origin checking or SameSite cookie attributes.
6. Set security headers on all responses
Risk: Missing headers leave your app vulnerable to clickjacking, XSS, MIME sniffing, and protocol downgrade attacks. According to Scott Helme's analysis, fewer than 15% of the top 1 million sites use Content-Security-Policy.
Fix: Add these headers: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
7. Audit your npm dependencies
Risk: Your app depends on hundreds of packages you didn't write. Snyk's 2024 report found 92% of applications contain at least one open-source vulnerability.
Fix: Run npm audit weekly. Update critical and high-severity vulnerabilities immediately. Use Dependabot or Renovate for automated updates.
8. Secure JWT implementation
Risk: Common JWT mistakes include storing tokens in localStorage (vulnerable to XSS), using weak signing algorithms, and not setting expiration times.
Fix: Store JWTs in httpOnly cookies. Use RS256 or EdDSA algorithms. Set short expiration times (15 minutes for access tokens). Implement refresh token rotation.
9. Remove .env files from git history
Risk: Even if .env is in .gitignore now, it may exist in older commits. Tools like truffleHog and GitLeaks find these in seconds if your repo goes public.
Fix: Use git filter-branch or BFG Repo-Cleaner to remove secrets from history. Rotate any credentials that were ever committed.
10. Validate Stripe webhook signatures
Risk: Without webhook signature verification, attackers can send fake payment events to your endpoint, triggering unauthorized account upgrades or credits.
Fix: Always verify the stripe-signature header using your webhook secret. Reject events that fail verification.
11. Implement proper error handling (don't leak stack traces)
Risk: Detailed error messages in production reveal your tech stack, file paths, and database structure to attackers.
Fix: Return generic error messages in production. Log detailed errors server-side only. Never expose database errors or stack traces to the client.
12. Use HTTPS everywhere
Risk: HTTP traffic can be intercepted and modified. Session cookies sent over HTTP can be stolen via man-in-the-middle attacks.
Fix: Force HTTPS redirects. Set the Strict-Transport-Security header. Mark all cookies as Secure. Vercel and Netlify handle this automatically for deployed apps.
13. Protect admin routes and dashboards
Risk: Unprotected admin endpoints let anyone access sensitive data and controls. Broken access control is the #1 OWASP Top 10 vulnerability.
Fix: Implement role-based access control. Verify permissions on every admin API route, not just the frontend. Use middleware to check authentication status before rendering admin pages.
14. Disable Supabase service role key in frontend
Risk: The service role key bypasses all RLS policies. If exposed in frontend code, anyone can read, write, and delete all data in your database.
Fix: Only use the service role key in server-side code (API routes, server components). Use the anon key for client-side Supabase operations.
15. Run an automated security scan
Risk: Manual review misses vulnerabilities. You don't know what you don't know — especially when AI generated most of the code.
Fix: Use RepoVault to scan your repository in 60 seconds. Get a security score, letter grade, and plain-English fix suggestions. No security expertise required.
Quick-copy version
[ ] 1. Remove hardcoded API keys from frontend [ ] 2. Enable RLS on all Supabase tables [ ] 3. Add rate limiting to API routes [ ] 4. Validate and sanitize all inputs [ ] 5. Add CSRF protection to forms [ ] 6. Set security headers [ ] 7. Audit npm dependencies [ ] 8. Secure JWT implementation [ ] 9. Remove .env from git history [ ] 10. Validate Stripe webhook signatures [ ] 11. Don't leak stack traces in errors [ ] 12. Use HTTPS everywhere [ ] 13. Protect admin routes [ ] 14. Keep service role key server-side [ ] 15. Run automated security scan
Frequently asked questions
What is a vibe coder?
A vibe coder is someone who builds software using AI coding assistants like Cursor, Bolt, Lovable, v0, or GitHub Copilot. Vibe coders may not have a traditional programming background — they describe what they want in natural language and let AI generate the code. The term was coined by Andrej Karpathy in early 2025.
Why do vibe-coded apps have more security vulnerabilities?
AI coding assistants prioritize functional code over secure code. They generate code that works but may include hardcoded secrets, missing input validation, disabled security features, and insecure defaults. A Stanford study found developers using AI assistants produced less secure code while believing it was more secure.
What is the most common security mistake in AI-generated code?
Exposed API keys and secrets are the most common security issue. AI assistants often hardcode API keys directly into frontend files for simplicity. GitGuardian found over 12.8 million secrets leaked on GitHub in 2023.
How can I secure my vibe-coded app without learning security?
Use an automated security scanner like RepoVault that explains vulnerabilities in plain English and provides one-click fix suggestions. You don't need security expertise — just paste your GitHub repo URL and get a scored report in 60 seconds.
Do I need to hire a security expert for my startup?
Not necessarily at the early stage. Automated security scanning catches the most common and critical vulnerabilities. Tools like RepoVault handle 80-90% of security issues. Consider a professional security audit once you have significant user data or revenue.