The Vibe Coder's Security Checklist: 10 Things AI Forgot to Add

You prompted an AI, it wrote the code, and now you have a working app. Congratulations — you're a builder. But before you share the URL, there are ten security gaps that AI almost never fills on its own.

This isn't about shaming vibe coders. It's about the reality that AI models optimize for "works" not "safe." These are the things we see missing in almost every app that gets submitted to VibbleLaunch.

1. No HTTPS Enforcement

Your hosting platform probably provides HTTPS, but is your app redirecting HTTP to HTTPS? Check that you have Strict-Transport-Security (HSTS) headers. Without them, the first request can be intercepted.

The prompt to fix it: "Add HSTS headers with a max-age of one year, include subdomains, and redirect all HTTP requests to HTTPS."

2. Missing Content-Security-Policy

This is the single most impactful security header. CSP tells browsers which scripts, styles, and resources are allowed to load. Without it, an attacker can inject scripts into your pages.

The prompt to fix it: "Add a Content-Security-Policy header that only allows scripts and styles from my own domain. Block inline scripts unless I explicitly need them."

3. No Input Validation on the Server

AI often adds client-side validation (required fields, email format checks) but skips server-side validation. An attacker won't use your form — they'll send requests directly to your API.

The prompt to fix it: "Add server-side validation for all API endpoints. Validate and sanitize every field — check types, lengths, and formats. Return 400 with specific error messages for invalid input."

4. API Routes Without Authentication

This is the most common critical vulnerability we see. AI generates API routes that work, but anyone can call them. Your /api/users endpoint probably returns everyone's data to anyone who asks.

The prompt to fix it: "Add authentication checks to every API route. Return 401 if no valid session exists. For user-specific data, verify the session user matches the requested resource."

5. Missing Rate Limiting

Without rate limiting, an attacker can hammer your API with thousands of requests per second — scraping your data, brute-forcing passwords, or running up your cloud bill.

The prompt to fix it: "Add rate limiting to all API routes. Limit to 60 requests per minute per IP for general endpoints, and 5 per minute for authentication endpoints."

6. Secrets in Client-Side Code

AI sometimes puts API keys, database URLs, or webhook secrets directly in client-side code. Anyone can view page source and steal them.

The prompt to fix it: "Audit the entire codebase for secrets, API keys, and credentials. Move all of them to environment variables. Make sure client-side code never imports or accesses server-only secrets."

7. No CSRF Protection

Cross-Site Request Forgery lets attackers trick authenticated users into performing actions they didn't intend. If your app uses cookies for auth (most do), you need CSRF tokens.

The prompt to fix it: "Add CSRF protection to all state-changing API routes (POST, PUT, DELETE). Use the double-submit cookie pattern or integrate CSRF tokens into forms."

8. SQL Injection via Raw Queries

If AI used raw SQL queries anywhere instead of an ORM's parameterized queries, you might have SQL injection vulnerabilities.

The prompt to fix it: "Replace all raw SQL queries with parameterized queries or ORM methods. Never concatenate user input into SQL strings."

9. No Error Boundaries or Graceful Failures

When something goes wrong, does your app show a blank screen or a stack trace? Stack traces in production leak internal information about your system.

The prompt to fix it: "Add error boundaries to the frontend. On the backend, catch all errors and return generic error messages in production. Never expose stack traces, file paths, or internal details."

10. Default or No Security Headers

Beyond HSTS and CSP, there are several headers that take 30 seconds to add and block entire categories of attacks: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

The prompt to fix it: "Add these security headers to all responses: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy with all features restricted to self."

How to Check Your Score

Submit your app to VibbleLaunch and we'll automatically scan your security headers and assign a grade from A+ to F. You can rescan anytime from the app page to track your improvements.

The Security Leaderboard showcases the most secure vibe-coded apps — earning an A+ is a competitive advantage that tells users you take their safety seriously.