·5 min read
Is your vibe-coded app secure? A 5-minute checklist
AI writes code fast — and ships vulnerabilities just as fast. Run this checklist before you put real users (and their data) at risk.
Most AI-built apps ship with at least one real security hole. Here are the five that matter most — and how to check each in minutes.
Exposed secrets
Search your repo and client bundle for API keys, tokens, and database URLs. Anything in client-side code or committed to git is already public.
Missing authorization checks
AI often authenticates but forgets to authorize. Confirm that one user can't read or edit another user's data by changing an ID in the URL.
- Secrets out of client code and git history
- Row-level authorization on every record
- Input validation on every endpoint
- Rate limiting on auth and write routes
- Dependencies updated and scanned
If any of these is uncertain, get a security audit before launch — not after a breach.