AI Production Systems
Vibe Coding Security Checklist: 10 Things to Fix Before You Deploy
Built something with Lovable, Bolt, or Cursor? These tools are brilliant for speed, but they skip security by default. Here are 10 things to fix before your vibe-coded app goes live.
Curated by Matt Perry
CTO
Vibe coding tools like Lovable, Bolt, Cursor, and v0 have changed the game. You can go from idea to working prototype in hours. That speed is genuinely exciting.
But there is a problem. These tools are optimised for building, not for securing. They generate code that works, looks good, and demos well. What they do not do is think about what happens when real users start poking at your application.
Before you deploy anything built with vibe coding tools to production, you need to run through this checklist. These are not theoretical risks. They are the exact issues we find when auditing vibe-coded applications for clients.
The Vibe Coding Security Checklist
1. Authentication and Session Management
This is the most common issue we see. AI-generated code often includes hardcoded tokens, default credentials, or weak session handling.
Check for:
- Hardcoded API tokens or passwords anywhere in your codebase
- Sessions that never expire
- Authentication logic that lives entirely on the client side
- Missing password hashing
- No account lockout after failed login attempts
Session tokens should be rotated after login. Passwords must be hashed with bcrypt or argon2. Authentication checks should always happen server-side.
2. API Keys and Secrets
When you prompt Cursor or Bolt to connect to a third-party service, the generated code often drops API keys directly into client-side JavaScript.
- Search your entire codebase for API keys, tokens, and connection strings
- Make sure nothing sensitive appears in files shipped to the browser
- Move all secrets to environment variables on the server
- Check your git history for accidentally committed secrets
- Add a
.gitignoreentry for.envfiles
3. Input Validation and Sanitisation
AI-generated code is remarkably trusting. It tends to accept whatever input users provide without checking whether it is safe.
- Are all form inputs validated on the server, not just the client?
- Are database queries parameterised?
- Is user-generated content sanitised before being rendered in HTML?
- Are file paths constructed safely?
Use parameterised queries for all database access. Sanitise HTML output with a library like DOMPurify. Never trust anything from the browser.
4. CORS Configuration
Vibe coding tools almost always set CORS to *, which means any website can call your endpoints.
- Check your CORS headers. If you see
Access-Control-Allow-Origin: *, fix it - Restrict allowed origins to your actual frontend domain
- Be specific about which HTTP methods and headers you allow
5. Rate Limiting and Abuse Prevention
AI code generators almost never include rate limiting. Without it, your application is vulnerable to brute force attacks and denial-of-service attempts.
Add rate limiting to login routes, password reset flows, email-sending endpoints, and expensive API operations. Tools like express-rate-limit or django-ratelimit make this simple.
6. Database Security
When Lovable or v0 scaffolds a database, it typically creates a single connection with full administrative privileges.
- Is your database connection string stored securely?
- Does your application use a database user with minimal privileges?
- If using Supabase, have you enabled Row Level Security (RLS)?
- Are database backups configured?
- Is your database accessible from the public internet?
Row Level Security is particularly important for Supabase applications. Without RLS policies, any authenticated user can potentially read or modify any row in your database.
7. File Upload Handling
If your application accepts file uploads, this needs careful attention.
- Server-side file type validation (do not rely on file extensions alone)
- Maximum file size limits on both client and server
- Uploaded files stored outside your web root
- Unique, randomised filenames
- Malware scanning for files served to other users
8. Error Handling and Information Leakage
Detailed error messages are helpful during development. In production, they are a gift to attackers.
- Are stack traces visible to users in production?
- Do error responses include database query details?
- Is debug mode disabled?
Set up error handling middleware that returns generic messages to clients. Log full details server-side only.
9. HTTPS and Transport Security
- Your application is served over HTTPS with a valid certificate
- HTTP requests redirect to HTTPS automatically
- Cookies are set with
SecureandHttpOnlyflags - Appropriate security headers are set (Content-Security-Policy, X-Frame-Options)
Platforms like Vercel and Netlify handle certificates, but they do not automatically set security headers or configure cookies correctly.
10. Dependency Audit
Vibe coding tools install packages liberally. A simple Lovable project can end up with hundreds of npm dependencies.
- Run
npm auditorpnpm auditfor JavaScript projects - Run
pip auditfor Python projects - Review high and critical vulnerabilities
- Remove packages you are not actually using
- Set up automated scanning with Dependabot or Snyk
What to Do If You Find Issues
If you have worked through this checklist and found problems, do not panic. Most of these issues are fixable in a day or two.
- Fix it yourself. Use this checklist as a guide and work through each item. OWASP and framework documentation walk through each fix in detail.
- Get professional help. A security review before launch is significantly cheaper than dealing with a breach after one.
We Can Help
At Original Objective, we work with businesses that have built applications using vibe coding tools and need them production-ready. Our vibe coding production support service covers security auditing, performance testing, and ongoing maintenance.
We do not charge you to rebuild from scratch. We take what you have built, fix the security and reliability gaps, and make sure it is safe to run with real users.
If you have built something and want a second pair of eyes before you go live, book an intro call with us.
More in AI Production Systems
View all
Ready to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callCurated by Matt Perry
CTO
Vibe coding tools like Lovable, Bolt, Cursor, and v0 have changed the game. You can go from idea to working prototype in hours. That speed is genuinely exciting.
But there is a problem. These tools are optimised for building, not for securing. They generate code that works, looks good, and demos well. What they do not do is think about what happens when real users start poking at your application.
Before you deploy anything built with vibe coding tools to production, you need to run through this checklist. These are not theoretical risks. They are the exact issues we find when auditing vibe-coded applications for clients.
The Vibe Coding Security Checklist
1. Authentication and Session Management
This is the most common issue we see. AI-generated code often includes hardcoded tokens, default credentials, or weak session handling.
Check for:
- Hardcoded API tokens or passwords anywhere in your codebase
- Sessions that never expire
- Authentication logic that lives entirely on the client side
- Missing password hashing
- No account lockout after failed login attempts
Session tokens should be rotated after login. Passwords must be hashed with bcrypt or argon2. Authentication checks should always happen server-side.
2. API Keys and Secrets
When you prompt Cursor or Bolt to connect to a third-party service, the generated code often drops API keys directly into client-side JavaScript.
- Search your entire codebase for API keys, tokens, and connection strings
- Make sure nothing sensitive appears in files shipped to the browser
- Move all secrets to environment variables on the server
- Check your git history for accidentally committed secrets
- Add a
.gitignoreentry for.envfiles
3. Input Validation and Sanitisation
AI-generated code is remarkably trusting. It tends to accept whatever input users provide without checking whether it is safe.
- Are all form inputs validated on the server, not just the client?
- Are database queries parameterised?
- Is user-generated content sanitised before being rendered in HTML?
- Are file paths constructed safely?
Use parameterised queries for all database access. Sanitise HTML output with a library like DOMPurify. Never trust anything from the browser.
4. CORS Configuration
Vibe coding tools almost always set CORS to *, which means any website can call your endpoints.
- Check your CORS headers. If you see
Access-Control-Allow-Origin: *, fix it - Restrict allowed origins to your actual frontend domain
- Be specific about which HTTP methods and headers you allow
5. Rate Limiting and Abuse Prevention
AI code generators almost never include rate limiting. Without it, your application is vulnerable to brute force attacks and denial-of-service attempts.
Add rate limiting to login routes, password reset flows, email-sending endpoints, and expensive API operations. Tools like express-rate-limit or django-ratelimit make this simple.
6. Database Security
When Lovable or v0 scaffolds a database, it typically creates a single connection with full administrative privileges.
- Is your database connection string stored securely?
- Does your application use a database user with minimal privileges?
- If using Supabase, have you enabled Row Level Security (RLS)?
- Are database backups configured?
- Is your database accessible from the public internet?
Row Level Security is particularly important for Supabase applications. Without RLS policies, any authenticated user can potentially read or modify any row in your database.
7. File Upload Handling
If your application accepts file uploads, this needs careful attention.
- Server-side file type validation (do not rely on file extensions alone)
- Maximum file size limits on both client and server
- Uploaded files stored outside your web root
- Unique, randomised filenames
- Malware scanning for files served to other users
8. Error Handling and Information Leakage
Detailed error messages are helpful during development. In production, they are a gift to attackers.
- Are stack traces visible to users in production?
- Do error responses include database query details?
- Is debug mode disabled?
Set up error handling middleware that returns generic messages to clients. Log full details server-side only.
9. HTTPS and Transport Security
- Your application is served over HTTPS with a valid certificate
- HTTP requests redirect to HTTPS automatically
- Cookies are set with
SecureandHttpOnlyflags - Appropriate security headers are set (Content-Security-Policy, X-Frame-Options)
Platforms like Vercel and Netlify handle certificates, but they do not automatically set security headers or configure cookies correctly.
10. Dependency Audit
Vibe coding tools install packages liberally. A simple Lovable project can end up with hundreds of npm dependencies.
- Run
npm auditorpnpm auditfor JavaScript projects - Run
pip auditfor Python projects - Review high and critical vulnerabilities
- Remove packages you are not actually using
- Set up automated scanning with Dependabot or Snyk
What to Do If You Find Issues
If you have worked through this checklist and found problems, do not panic. Most of these issues are fixable in a day or two.
- Fix it yourself. Use this checklist as a guide and work through each item. OWASP and framework documentation walk through each fix in detail.
- Get professional help. A security review before launch is significantly cheaper than dealing with a breach after one.
We Can Help
At Original Objective, we work with businesses that have built applications using vibe coding tools and need them production-ready. Our vibe coding production support service covers security auditing, performance testing, and ongoing maintenance.
We do not charge you to rebuild from scratch. We take what you have built, fix the security and reliability gaps, and make sure it is safe to run with real users.
If you have built something and want a second pair of eyes before you go live, book an intro call with us.
More in AI Production Systems
View allReady to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callSubscribe to the AI Growth Newsletter
Get weekly AI insights, tools, and success stories — straight to your inbox.
Here's what you'll get when you subscribe:
- AI for SMBs – adopt AI without big budgets or complex setup
- Future Trends – what's coming next and how to stay ahead
- How to Automate Your Processes – save time with workflows that run 24/7
- Customer Service AI – chatbots and agents that delight customers
- Voice AI Solutions – smarter calls and seamless accessibility
- AI News – how to stay ahead of the ever changing AI world
- Local Success Stories – how AI has changed business in the UK
No spam. Just practical AI tips for growing your business.