SecurityJanuary 5, 202610 min read

Vibe Coding Security Checklist: Secure Your AI-Built App

Built something with AI? Whether you used Bolt.new, Lovable, v0.dev, Replit, or Cursor, this checklist will help you ship securely. Print it out, check each item, and launch with confidence.

What is "Vibe Coding"?

Vibe coding is building apps by describing what you want to AI tools like Bolt.new, Lovable, v0, or Cursor. The AI generates the code, you tweak it until it "vibes" right. It's fast and powerful—but the AI doesn't prioritize security.

1. Secrets & API Keys

No API keys hardcoded in frontend JavaScript
OpenAI/Anthropic keys are server-side only
Stripe keys use correct publishable vs secret key
Database credentials not in client code
.env files are in .gitignore
No secrets in version control history
Environment variables set in hosting dashboard

AI Often Gets This Wrong

When you tell AI to "add OpenAI integration," it often puts the API key in client-side code. Always move it to an API route.

2. Database Security

Row Level Security enabled on ALL tables (Supabase)
Security rules configured (Firebase)
Policies use auth.uid() or request.auth
No tables with allow all access
Service key not in frontend code
Tested as unauthenticated user
Tested as wrong authenticated user

3. Authentication

Email verification enabled
Password minimum length set (8+ characters)
Rate limiting on login attempts
Secure password reset flow
Session tokens are HttpOnly cookies
OAuth redirect URLs restricted to your domains
No auth bypass vulnerabilities

4. Security Headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY or SAMEORIGIN
Strict-Transport-Security (HSTS) enabled
Referrer-Policy configured
Content-Security-Policy (if applicable)
Source maps disabled in production

// next.config.js - add these headers

headers: async () => [{

source: '/:path*',

headers: [

{ key: 'X-Frame-Options', value: 'DENY' },

{ key: 'X-Content-Type-Options', value: 'nosniff' },

{ key: 'Strict-Transport-Security', value: 'max-age=31536000' },

]

}]

5. Input & Data Handling

All user input validated server-side
No SQL injection vulnerabilities
No XSS (cross-site scripting) vulnerabilities
File uploads validated (type, size)
No dangerouslySetInnerHTML with user data
URLs validated before redirect

6. Deployment

HTTPS enforced (no HTTP)
Production environment variables set
Debug mode disabled
Error messages don't leak sensitive info
No .env files deployed
Dependencies up to date (npm audit)
Automated security scanning in CI/CD

Quick Reference by Platform

Supabase Apps

  • • Enable RLS on all tables
  • • Write policies with auth.uid()
  • • Anon key OK in frontend
  • • Service key = server only

Firebase Apps

  • • Write security rules
  • • Use request.auth
  • • API key OK in frontend
  • • Service account = server only

Vercel/Next.js

  • • Secrets in Vercel dashboard
  • • Use API routes for secrets
  • • Add security headers
  • • Disable source maps

Replit

  • • Use Secrets tool
  • • Make Repl private if needed
  • • Check version history
  • • Use Deployments for prod

Automate Your Security Checks

VAS automatically checks most items on this list. Get a comprehensive security report with copy-paste fixes in minutes.

Platform-Specific Guides

Bolt.new SecurityLovable SecuritySupabase RLS