How to Secure Your Windsurf App
Windsurf (by Codeium) is an AI IDE that generates full applications. Like other AI coding tools, the generated code prioritizes functionality over security. This guide covers how to audit and harden your Windsurf-generated application against the most common vulnerabilities.
Find security issues automatically before attackers do.
Follow These Steps
Audit generated code for exposed secrets
Search your entire project for hardcoded API keys, passwords, and connection strings. Windsurf may embed these directly in source files during development.
# Find potential secrets
grep -rn "apiKey\|api_key\|secret\|password\|token" src/ --include="*.ts" --include="*.js" --include="*.env"
# Check for common key patterns
grep -rn "sk-\|pk_live\|sk_live\|ghp_\|glpat-" src/Check both frontend and backend directories. AI tools sometimes place backend secrets in shared config files accessible from the frontend.
Configure environment variables properly
Move all secrets to environment variables. Set up .env files for local development and use your hosting platform secrets management for production.
# .env.local (never commit this)
DATABASE_URL=postgresql://user:pass@host:5432/db
API_SECRET_KEY=your-secret-here
# Access in code (Next.js)
// Server-side only (no NEXT_PUBLIC_ prefix)
const dbUrl = process.env.DATABASE_URL
// Client-safe (NEXT_PUBLIC_ prefix)
const apiUrl = process.env.NEXT_PUBLIC_API_URLAdd authentication with a proven library
Replace any AI-generated custom auth with a battle-tested library. Custom auth is the number one source of security vulnerabilities.
// Using Auth.js (NextAuth) v5
import { auth } from '@/auth'
export default async function ProtectedPage() {
const session = await auth()
if (!session) redirect('/login')
return <div>Welcome {session.user.name}</div>
}Validate all inputs on the server
Every API endpoint must validate incoming data. Use a schema validation library to ensure data matches expected formats.
import { z } from 'zod'
const UserInput = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).trim(),
age: z.number().int().min(0).max(150).optional()
})
// In your API route
const validated = UserInput.parse(await req.json())Secure your database layer
Ensure all database interactions use parameterized queries. If using an ORM, verify it is configured with proper access controls.
// Using Prisma - safe by default
const user = await prisma.user.findUnique({
where: { email: validatedEmail }
})
// Using raw SQL - must parameterize
const result = await prisma.$queryRaw`
SELECT * FROM users WHERE email = ${validatedEmail}
`Configure security headers
Add HTTP security headers to every response. This protects against XSS, clickjacking, and other browser-level attacks.
// next.config.js
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-XSS-Protection', value: '0' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' }
]
}]
}
}Implement CORS properly
If your app has an API, configure CORS to only allow requests from your own domain. AI-generated code often uses wildcard CORS.
// Replace wildcard CORS
// BAD
app.use(cors({ origin: '*' }))
// GOOD
app.use(cors({
origin: ['https://yourdomain.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
credentials: true
}))Scan your deployed app
Deploy your secured application and run a VAS scan to verify all fixes are in place and catch anything you might have missed.
Test in a staging environment first, then scan production after deploying the security fixes.
What You'll Achieve
Your Windsurf application now has proper secret management, server-side input validation, a proven authentication library, parameterized database queries, security headers, and correct CORS configuration. The most common AI-generated security gaps are closed.
Common Mistakes to Avoid
Mistake
Using CORS with origin: * in production
Fix
Restrict CORS origin to your actual domain. Wildcard CORS allows any website to make requests to your API.
Mistake
Prefixing secrets with NEXT_PUBLIC_
Fix
Only prefix environment variables with NEXT_PUBLIC_ if they are truly safe for the browser. Database URLs, API secrets, and tokens must never have this prefix.
Mistake
Relying on AI-generated custom authentication
Fix
Replace custom auth with a proven library like Auth.js, Clerk, or Lucia. Custom auth almost always has vulnerabilities.
Mistake
Skipping server-side validation because the form has client validation
Fix
Client-side validation is for UX only. Attackers bypass it trivially. Always validate on the server.
Frequently Asked Questions
Does Windsurf generate secure code?
Windsurf generates functional code but does not automatically apply security best practices. You need to review and harden the generated code, especially around authentication, input validation, and secret management.
How do I tell Windsurf to write more secure code?
Be explicit about security in your prompts. Ask for parameterized queries, Zod validation, environment variables for secrets, and established auth libraries. Create project rules that enforce security patterns.
What are the biggest security risks in AI-generated code?
Hardcoded API keys, missing input validation, SQL injection via string concatenation, overly permissive CORS, and custom authentication implementations are the most common vulnerabilities.
Ready to Secure Your App?
VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.
Start Security Scan