Copy-Paste Security Prompts for Cursor, Lovable, Bolt & Claude

The fastest way to secure a vibe-coded app is to ask your AI to do it. But vague requests like "make it secure" produce vague results. These specific, battle-tested prompts produce real security improvements.

Use them as follow-up prompts after your AI has built the initial app. They work with Cursor, Lovable, Bolt.new, Claude, ChatGPT, and any AI coding tool.

Security Headers (Start Here)

This single prompt adds the most impactful protection with the least effort:

The Prompt

"Add a comprehensive HTTP security headers configuration to this application. Include: Strict-Transport-Security with max-age=31536000 and includeSubDomains, Content-Security-Policy that restricts scripts to self and inline where needed, X-Frame-Options set to DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy restricting camera, microphone, and geolocation to self. Show me the configuration file for my deployment platform."

Authentication & Authorization

Lock Down API Routes

"Audit every API route in this application. For each route that reads or writes user data, add session validation at the top. If no valid session exists, return 401 Unauthorized. For routes that access a specific user's data, verify the session user ID matches the requested resource. List every route and its protection status when done."

Add Proper Password Handling

"If this app handles passwords: use bcrypt with a cost factor of 12 for hashing. Never store plaintext passwords. Add password strength requirements: minimum 8 characters, at least one number and one special character. Implement account lockout after 5 failed login attempts."

Session Security

"Review the session and cookie configuration. Ensure cookies are set with HttpOnly, Secure, and SameSite=Strict flags. Set session expiry to 24 hours for normal sessions and 30 days for 'remember me'. Invalidate sessions on password change."

Input Validation & Data Safety

Server-Side Validation

"Add comprehensive server-side validation to every API endpoint that accepts user input. For each field: validate the type (string, number, boolean), enforce maximum lengths, sanitize HTML to prevent XSS, validate email formats with a proper regex, and reject requests with unexpected fields. Use a validation library if available in this stack."

File Upload Security

"If this app handles file uploads: restrict allowed MIME types to images and PDFs only, limit file size to 5MB, generate random filenames instead of using the original, scan for embedded scripts in uploaded files, and store uploads outside the web root or in cloud storage with signed URLs."

Database Query Safety

"Audit all database queries in this application. Replace any raw SQL with parameterized queries. If using an ORM, ensure no string concatenation is used in where clauses. Add input length limits to prevent denial of service through oversized queries."

Rate Limiting & Abuse Prevention

Add Rate Limiting

"Add rate limiting to this application. Apply these limits: 100 requests per minute per IP for general API routes, 10 requests per minute per IP for authentication endpoints (login, register, password reset), 5 requests per minute per IP for sensitive actions (payment, account deletion). Return 429 Too Many Requests with a Retry-After header when limits are exceeded."

Bot Protection

"Add basic bot protection: check the User-Agent header and reject empty ones, add honeypot fields to forms (hidden fields that bots fill but humans don't), implement exponential backoff on failed login attempts."

Environment & Deployment

Secret Management

"Audit the entire codebase for hardcoded secrets, API keys, database URLs, and credentials. Move all secrets to environment variables. Ensure no .env file is committed to git (check .gitignore). Verify that client-side bundles don't contain any server-only environment variables. Create a .env.example file listing all required variables without values."

Production Readiness

"Prepare this application for production deployment. Disable debug mode and verbose logging. Remove all console.log statements that output sensitive data. Set NODE_ENV to production. Enable gzip compression. Add error handling middleware that returns generic error messages (no stack traces). Verify all environment variables are set in the production environment."

Privacy & Data Protection

GDPR Basics

"Add basic GDPR compliance: create a privacy policy page explaining what data is collected and why, add a cookie consent banner, provide a way for users to request their data (data export), provide a way for users to delete their account and all associated data, log all data access for audit purposes."

Secure Data Handling

"Review how this app handles personal data. Ensure: email addresses are not exposed in client-side API responses unless necessary, user IDs in URLs are not sequential integers (use UUIDs), search and listing endpoints don't leak private fields, API error messages don't reveal whether an email exists in the system."

The Full Security Audit Prompt

When you want AI to do a complete sweep, use this:

"Perform a comprehensive security audit of this entire codebase. Check for: hardcoded secrets, missing authentication on API routes, SQL injection vulnerabilities, XSS vulnerabilities in rendered content, CSRF vulnerabilities on state-changing endpoints, missing security headers, insecure cookie settings, exposed error details, missing rate limiting, file upload vulnerabilities, and insecure direct object references. For each issue found, explain the risk and provide the fix."

After Securing Your App

Once you've run these prompts and deployed the fixes, submit or rescan your app on VibbleLaunch. Your security grade will reflect the improvements. Apps with an A+ security grade are highlighted on the Security Leaderboard and earn more trust from users.

Security isn't a one-time task — it's an ongoing practice. Bookmark this page and revisit it every time you ship a major update.