AI Production Systems

Vibe Coding Security Checklist: 10 Things to Fix Before You Deploy

Built something with Lovable, Bolt, or Cursor? These tools are brilliant for speed, but they skip security by default. Here are 10 things to fix before your vibe-coded app goes live.

Voice
Matt Perry - CTO

Curated by Matt Perry

CTO

5 April 2026

Vibe coding tools like Lovable, Bolt, Cursor, and v0 have changed the game. You can go from idea to working prototype in hours. That speed is genuinely exciting.

But there is a problem. These tools are optimised for building, not for securing. They generate code that works, looks good, and demos well. What they do not do is think about what happens when real users start poking at your application.

Before you deploy anything built with vibe coding tools to production, you need to run through this checklist. These are not theoretical risks. They are the exact issues we find when auditing vibe-coded applications for clients.

The Vibe Coding Security Checklist

1. Authentication and Session Management

This is the most common issue we see. AI-generated code often includes hardcoded tokens, default credentials, or weak session handling.

Check for:

  • Hardcoded API tokens or passwords anywhere in your codebase
  • Sessions that never expire
  • Authentication logic that lives entirely on the client side
  • Missing password hashing
  • No account lockout after failed login attempts

Session tokens should be rotated after login. Passwords must be hashed with bcrypt or argon2. Authentication checks should always happen server-side.

2. API Keys and Secrets

When you prompt Cursor or Bolt to connect to a third-party service, the generated code often drops API keys directly into client-side JavaScript.

  • Search your entire codebase for API keys, tokens, and connection strings
  • Make sure nothing sensitive appears in files shipped to the browser
  • Move all secrets to environment variables on the server
  • Check your git history for accidentally committed secrets
  • Add a .gitignore entry for .env files

3. Input Validation and Sanitisation

AI-generated code is remarkably trusting. It tends to accept whatever input users provide without checking whether it is safe.

  • Are all form inputs validated on the server, not just the client?
  • Are database queries parameterised?
  • Is user-generated content sanitised before being rendered in HTML?
  • Are file paths constructed safely?

Use parameterised queries for all database access. Sanitise HTML output with a library like DOMPurify. Never trust anything from the browser.

4. CORS Configuration

Vibe coding tools almost always set CORS to *, which means any website can call your endpoints.

  • Check your CORS headers. If you see Access-Control-Allow-Origin: *, fix it
  • Restrict allowed origins to your actual frontend domain
  • Be specific about which HTTP methods and headers you allow

5. Rate Limiting and Abuse Prevention

AI code generators almost never include rate limiting. Without it, your application is vulnerable to brute force attacks and denial-of-service attempts.

Add rate limiting to login routes, password reset flows, email-sending endpoints, and expensive API operations. Tools like express-rate-limit or django-ratelimit make this simple.

6. Database Security

When Lovable or v0 scaffolds a database, it typically creates a single connection with full administrative privileges.

  • Is your database connection string stored securely?
  • Does your application use a database user with minimal privileges?
  • If using Supabase, have you enabled Row Level Security (RLS)?
  • Are database backups configured?
  • Is your database accessible from the public internet?

Row Level Security is particularly important for Supabase applications. Without RLS policies, any authenticated user can potentially read or modify any row in your database.

7. File Upload Handling

If your application accepts file uploads, this needs careful attention.

  • Server-side file type validation (do not rely on file extensions alone)
  • Maximum file size limits on both client and server
  • Uploaded files stored outside your web root
  • Unique, randomised filenames
  • Malware scanning for files served to other users

8. Error Handling and Information Leakage

Detailed error messages are helpful during development. In production, they are a gift to attackers.

  • Are stack traces visible to users in production?
  • Do error responses include database query details?
  • Is debug mode disabled?

Set up error handling middleware that returns generic messages to clients. Log full details server-side only.

9. HTTPS and Transport Security

  • Your application is served over HTTPS with a valid certificate
  • HTTP requests redirect to HTTPS automatically
  • Cookies are set with Secure and HttpOnly flags
  • Appropriate security headers are set (Content-Security-Policy, X-Frame-Options)

Platforms like Vercel and Netlify handle certificates, but they do not automatically set security headers or configure cookies correctly.

10. Dependency Audit

Vibe coding tools install packages liberally. A simple Lovable project can end up with hundreds of npm dependencies.

  • Run npm audit or pnpm audit for JavaScript projects
  • Run pip audit for Python projects
  • Review high and critical vulnerabilities
  • Remove packages you are not actually using
  • Set up automated scanning with Dependabot or Snyk

What to Do If You Find Issues

If you have worked through this checklist and found problems, do not panic. Most of these issues are fixable in a day or two.

  1. Fix it yourself. Use this checklist as a guide and work through each item. OWASP and framework documentation walk through each fix in detail.
  2. Get professional help. A security review before launch is significantly cheaper than dealing with a breach after one.

We Can Help

At Original Objective, we work with businesses that have built applications using vibe coding tools and need them production-ready. Our vibe coding production support service covers security auditing, performance testing, and ongoing maintenance.

We do not charge you to rebuild from scratch. We take what you have built, fix the security and reliability gaps, and make sure it is safe to run with real users.

If you have built something and want a second pair of eyes before you go live, book an intro call with us.

More in AI Production Systems

View all
AI code frameworks turning prototypes into production-ready software

22 Mar 2026

AI Code Is Finally Production-Ready. Here Is What Changed.

A checklist on a clipboard with AI app production items being ticked off

19 Mar 2026

The AI App Production Checklist: 15 Things to Fix Before You Go Live

A bridge between prototype and production, with cracks forming under pressure

17 Mar 2026

Why AI Prototypes Fail in Production (And What to Do About It)

Ready to put AI to work in your business?

Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.

Book a discovery call

Frequently Asked Questions

What is the most common security vulnerability in vibe-coded apps?

Hardcoded API keys in client-side code. We find this in around 70% of the vibe-coded apps we audit. The AI generates working code that includes your API keys, database passwords, or secret tokens directly in JavaScript files that get shipped to the browser. Anyone can view these using browser developer tools. Moving all secrets to server-side environment variables is the single most important fix.

How long does a security audit take for a vibe-coded application?

A thorough audit covering all 10 items on this checklist typically takes one to two days for a standard application. Fixing the issues found usually takes another two to five days depending on severity. The most time-consuming fixes are usually authentication overhauls (if the original implementation is fundamentally flawed) and adding server-side input validation throughout the application.

Is it safe to deploy a Lovable or Bolt app to production?

Not without a security review first. These tools are designed for speed, not security. The code they produce works correctly but typically lacks server-side validation, proper authentication, rate limiting, and secure credential handling. With one to two weeks of security hardening, most vibe-coded apps can be made production-ready. The code itself is usually fine. It is the security infrastructure around it that needs work.

Do I need to worry about GDPR if my vibe-coded app collects user data?

Yes. If your app collects any personal data from UK or EU users, including names, email addresses, IP addresses, or browser cookies, GDPR applies. You need a privacy policy, cookie consent, a process for data deletion requests, and assurance that data is stored securely. The ICO can fine businesses up to £17.5 million or 4% of annual turnover for non-compliance, regardless of business size.

How much does professional security hardening cost?

For a typical vibe-coded application, a full security audit and fix costs £2,000 to £5,000. This covers all 10 items on this checklist plus any issues specific to your application. Compare that to the average cost of a data breach for a small UK business, which the UK government estimates at £8,170 to £13,400, and the investment is straightforward.

Subscribe to the AI Growth Newsletter

Get weekly AI insights, tools, and success stories — straight to your inbox.

Here's what you'll get when you subscribe:

Subscribe to the AI Growth Newsletter
  • AI for SMBs adopt AI without big budgets or complex setup
  • Future Trends what's coming next and how to stay ahead
  • How to Automate Your Processes save time with workflows that run 24/7
  • Customer Service AI chatbots and agents that delight customers
  • Voice AI Solutions smarter calls and seamless accessibility
  • AI News how to stay ahead of the ever changing AI world
  • Local Success Stories how AI has changed business in the UK

No spam. Just practical AI tips for growing your business.

Not sure if your app is production-ready?

Take the AI Readiness Quiz