SlyDuck
SlyDuck
Back to The Pond
AI8 min read

Vibe Coding Security Checklist: 10 Things to Check Before You Ship

45% of AI-generated code has security vulnerabilities. Here's a plain-English checklist to catch the most common issues before they become your problem.

James Wolf

James Wolf

Founder @ SlyDuck

January 8, 2026
Security checklist for vibe coded apps

The Uncomfortable Truth

According to recent research:

  • 45% of AI-generated code contains security vulnerabilities
  • 40% of AI database queries are vulnerable to SQL injection
  • 7 in 10 developers have found vulnerabilities introduced by AI

This isn't AI being malicious. It's AI optimizing for "works" over "works securely." And when you're vibe coding—accepting suggestions, shipping fast—you're inheriting whatever security posture the AI decided on.

"The AI made it work" is not a security strategy. You're still responsible for what ships.

The 10-Point Checklist

1. Check for Hardcoded Secrets

What to look for:

  • API keys in your code
  • Database connection strings with passwords
  • JWT secrets in plain text
  • Anything that looks like sk-, pk_, or secret_

Where AI hides them:

  • Directly in component files
  • In example/demo code it generated
  • In environment variable examples that became real code

Quick check:

# Search your codebase for common secret patterns

grep -r "sk-" --include=".ts" --include=".tsx" --include=".js"


grep -r "password" --include=".ts" --include=".tsx" --include=".js"


grep -r "secret" --include=".ts" --include=".tsx" --include=".js"

Fix: Move all secrets to environment variables. Never commit .env files.

---

2. Verify Row Level Security (RLS) Is On

The Lovable CVE-2025-48757 story: 170+ apps exposed because RLS was misconfigured. Users could read and write to other users' data.

What to check in Supabase:

  • Go to Database → Tables
  • For each table, check if RLS is enabled
  • For each table, verify policies exist AND make sense

Common AI mistakes:

  • Creating tables without RLS
  • Adding RLS but with policies that allow everything
  • Using USING (true) which defeats the purpose

The test: Can you access data you shouldn't? Try hitting your API as an unauthenticated user and see what comes back.

---

3. Scan Your Dependencies

The reality: AI suggests packages. You install them. You have no idea if they're:

  • Still maintained
  • Free of known vulnerabilities
  • Actually necessary

Quick scan:

npm audit

# or


yarn audit

What the output means:

  • Critical/High: Stop and fix these now
  • Moderate: Fix this week
  • Low: Fix when convenient

Don't just run npm audit fix --force. That can break things. Review what it wants to change.

---

4. Check Authentication Flows

What AI often gets wrong:

  • JWT tokens that never expire
  • No rate limiting on login attempts
  • Password reset tokens that don't expire
  • Session tokens stored in localStorage (XSS vulnerable)

Questions to ask:

  • What happens if someone tries 1000 passwords?
  • What happens if someone intercepts a password reset link?
  • Where are session tokens stored?
  • How long do sessions last?

Minimum standard:

  • Rate limiting on auth endpoints
  • Short-lived tokens with refresh mechanism
  • httpOnly cookies for session storage (not localStorage)

---

5. Validate All User Input

The classic vulnerabilities:

  • SQL Injection: User input goes directly into database queries
  • XSS (Cross-Site Scripting): User input renders as HTML/JavaScript
  • Command Injection: User input becomes shell commands

What AI does wrong:

AI often takes the "happy path"—assuming all input is benign. It doesn't naturally think "what if someone enters in this form field?"

Quick checks:

  • Are you using parameterized queries? (Not string concatenation)
  • Are you escaping HTML output?
  • Are you validating input types and lengths?

---

6. Review API Endpoint Authorization

The question: For every API endpoint, who should be able to call it?

Common AI mistakes:

  • Public endpoints that should require auth
  • User endpoints that don't verify ownership
  • Admin endpoints with no admin check

Test methodology:

  • List all your API routes
  • For each: What's the intended access level?
  • Test: Can you actually call it without proper auth?

---

7. Check Error Messages

The problem: Detailed error messages help attackers understand your system.

Bad:

Error: Invalid password for user john@example.com

Good:

Error: Invalid credentials

What to look for:

  • Database errors exposed to users
  • Stack traces in production
  • Specific failure reasons (user exists, password wrong, etc.)

Fix: Catch errors at the API level. Return generic messages to users. Log details server-side.

---

8. Verify HTTPS Everywhere

Seems obvious, but:

  • Is your production site actually on HTTPS?
  • Are API calls using HTTPS?
  • Do HTTP requests redirect to HTTPS?
  • Is HSTS enabled?

Check your SSL certificate:

  • When does it expire?
  • Is it actually trusted? (Test in incognito mode)

---

9. Review Third-Party Integrations

For each external service your AI integrated:

  • What permissions did it request?
  • What data are you sending to it?
  • Is the connection secured?
  • What happens if that service goes down?

Common issues:

  • OAuth scopes that are too broad
  • Sending user data to analytics without consent
  • No fallback when external services fail

---

10. Check for Exposed Admin Functionality

The pattern: AI creates an admin panel. It works. But is it protected?

Things to look for:

  • /admin routes with no auth check
  • Debug endpoints left in production
  • Database seed/reset routes still active
  • API keys visible in network requests

Test: Can you access admin functionality as a regular user? As an unauthenticated user?

---

The Post-Checklist Process

If You Find Issues

  • Don't panic. Most issues can be fixed quickly.
  • Prioritize. Fix anything affecting production data first.
  • Document. Note what was wrong and how you fixed it.
  • Learn. What can you check for next time?

Going Forward

  • Before each deploy: Quick scan of new code for secrets
  • Weekly: Run npm audit
  • Monthly: Review RLS policies and auth flows
  • Ongoing: Automated dependency scanning

The Reality Check

You can't catch everything manually. The checklist above covers the common issues, but:

  • New vulnerabilities are discovered daily
  • Your dependencies change
  • The codebase grows

Automated scanning catches what manual review misses. It's not about being paranoid—it's about being realistic about what one person can track.

---

SlyDuck scans your dependencies daily and alerts you to security issues. Start scanning—because AI code is still your responsibility.*

Scan your dependencies automatically

SlyDuck checks your AI-generated code for vulnerable packages every day. Know about security issues before they become exploits.

Start Security Scanning
James Wolf

James Wolf

Founder @ SlyDuck

Building SlyDuck: the growth dashboard for vibe coders. Builder, leader, Dad, creator.

Related Articles

AI

The Real Cost of Vibe Coding: Technical Debt Nobody Warns You About

"Two engineers can now create the tech debt of fifty." Here's what that actually means for your AI-built projects—and how to manage it.

AI

Is Lovable Secure? What CVE-2025-48757 Means for Your App

In May 2025, a vulnerability exposed 170+ Lovable-built apps. Here's what happened, whether it affects you, and what to do about it.