Prompt Library

Copy. Paste. Ship secure.

30 battle-tested prompts for Cursor, Lovable, Bolt, Claude, and ChatGPT. Stop asking AI to “make it secure” — use specific prompts that produce real results.

Security

5 prompts

Lock down headers, CSP, and common vulnerabilities

Add All Security Headers

CursorLovableBoltClaude
Add a comprehensive HTTP security headers configuration. Include: Strict-Transport-Security with max-age=31536000 and includeSubDomains, Content-Security-Policy that restricts scripts to self and trusted CDNs, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy restricting camera microphone and geolocation to self. Configure this for my deployment platform.

Why this matters: Most vibe-coded apps ship with zero security headers. This single prompt blocks XSS, clickjacking, and protocol downgrade attacks.

Content Security Policy (Strict)

CursorClaudeChatGPT
Create a strict Content-Security-Policy that only allows scripts from my own domain and specific trusted CDNs I'm using. Block inline scripts unless I explicitly need them for analytics. Add a report-uri directive to log violations. Show me the full CSP string and explain each directive.

Why this matters: CSP is your strongest defense against XSS. A strict policy prevents injected scripts from running even if an attacker finds a way to insert them.

Server-Side Input Validation

CursorClaudeChatGPT
Add server-side validation to every API endpoint that accepts user input. For each field: validate the type, enforce maximum lengths, sanitize HTML to prevent XSS, validate email and URL formats, and reject unexpected fields. Use Zod for schema validation. Return 400 with specific field-level error messages.

Why this matters: Client-side validation is cosmetic. Anyone can bypass your form and send raw requests to your API.

Full Security Audit

CursorClaudeChatGPT
Perform a comprehensive security audit of this entire codebase. Check for: hardcoded secrets, missing authentication on API routes, SQL injection, XSS in rendered content, CSRF on state-changing endpoints, missing security headers, insecure cookie settings, exposed error details, missing rate limiting, file upload vulnerabilities, and insecure direct object references. For each issue, explain the risk and provide the fix.

Why this matters: Use this before every deployment. It catches the top 10 vulnerability categories in one sweep.

Secrets & Environment Variable Audit

CursorClaudeChatGPT
Audit the entire codebase for hardcoded secrets, API keys, database URLs, and credentials. Move all secrets to environment variables. Verify client-side bundles don't contain server-only variables. Check .gitignore includes .env files. Create a .env.example listing all required variables without values.

Why this matters: Leaked API keys are the #1 cause of cloud billing disasters. This takes 5 minutes and prevents thousands in damage.

Authentication

4 prompts

Auth flows, sessions, OAuth, and access control

NextAuth.js Setup (Google + GitHub + Magic Links)

CursorClaude
Add authentication using NextAuth.js with Google OAuth, GitHub OAuth, and email magic link providers. Store sessions in the database using Prisma adapter. Protect all /dashboard and /api routes that require authentication. Create a sign-in page at /login. Handle sign-in, sign-out, and session refresh. Configure cookies with HttpOnly, Secure, and SameSite=Lax flags.

Why this matters: Don't build auth yourself. NextAuth handles sessions, CSRF, token rotation, and 60+ providers out of the box.

Protect All API Routes

CursorClaudeChatGPT
Audit every API route. For each route that reads or writes user data, add session validation at the top. Return 401 if no valid session. For routes accessing a specific user's data, verify the session user ID matches the requested resource. List every route and its protection status when done.

Why this matters: The #1 vulnerability in vibe-coded apps: API routes with no auth check that return everyone's data to anyone who asks.

Role-Based Access Control

CursorClaude
Implement role-based access control with at least three roles: user, moderator, admin. Store roles in the database, not in the session token. Create a middleware function that checks the user's role from the database on every protected request. Admin routes should verify admin role server-side. Never trust role information from the client.

Why this matters: Checking roles only in the session token means anyone who can modify their token becomes an admin.

Rate Limit Authentication Endpoints

CursorClaudeChatGPT
Add rate limiting to authentication endpoints: 5 login attempts per minute per IP, 3 password reset requests per hour per email, 10 registration attempts per hour per IP. Implement exponential backoff after failed attempts. Return 429 with Retry-After header. Log all rate limit hits for security monitoring.

Why this matters: Without rate limiting, an attacker can brute-force passwords at thousands of attempts per second.

Database

3 prompts

Schema design, queries, migrations, and optimization

Fix N+1 Query Problems

CursorClaude
Find and fix all N+1 query problems in this codebase. Use eager loading (include/join) to fetch related data in a single query instead of looping. Check: listing pages displaying related data, API routes that loop through results and make additional queries, pages showing counts for each item. Show me the before and after query counts.

Why this matters: The N+1 problem turns 1 query into 50+. It's the most common performance bug in AI-generated code and makes pages take seconds instead of milliseconds.

Add Database Indexes

CursorClaude
Analyze all database queries in this application and add indexes for: columns used in WHERE clauses, columns used in ORDER BY, columns used in JOIN conditions, and composite indexes for queries filtering on multiple columns. Prioritize the most frequently run queries. Show me the migration file with all indexes.

Why this matters: Missing indexes turn sub-second queries into multi-second table scans as your data grows.

Optimize SELECT Queries

CursorClaude
Optimize all database queries: select only the fields actually used in the response, add pagination with limits of 20-50 per page, use database-level sorting instead of JavaScript sorting. Replace any findMany without a take/limit. Show me each query before and after optimization.

Why this matters: AI defaults to SELECT * which pulls every column. On a table with 20 columns, you're transferring 10x more data than needed.

Performance

4 prompts

Speed, bundle size, Core Web Vitals, and caching

Optimize All Images

CursorClaudeChatGPT
Optimize all images: use the framework's Image component for automatic resizing and format conversion, add width and height attributes to prevent layout shift, implement lazy loading for below-the-fold images, serve WebP format where supported, add responsive srcsets for mobile. List every image tag changed.

Why this matters: Unoptimized images are typically 60-80% of total page weight. This single change can cut load time in half.

Reduce JavaScript Bundle Size

CursorClaude
Analyze and reduce the JavaScript bundle size. Replace heavy libraries with lighter alternatives or native APIs: use Intl.DateTimeFormat instead of moment/date-fns, use native fetch instead of axios. Tree-shake imports to only what's used. Add dynamic imports for components not needed on initial page load. Show bundle size before and after.

Why this matters: AI imports entire libraries when you need one function. A 500KB bundle on mobile 3G takes 5+ seconds to parse.

Add Caching Strategy

CursorClaude
Add caching at three levels: 1) HTTP cache headers — immutable for hashed static assets, 1-hour max-age for HTML, stale-while-revalidate for API data. 2) Server-side caching for expensive database queries using a simple in-memory cache with TTL. 3) Client-side caching with SWR or React Query for API responses. Show the configuration for each level.

Why this matters: The fastest request is the one you never make. Without caching, every page view hits the database.

Fix Core Web Vitals

CursorClaudeChatGPT
Audit and fix Core Web Vitals issues: LCP — identify the largest element and optimize its load path (preload critical images and fonts, remove render-blocking resources). CLS — add explicit dimensions to all images, embeds, and dynamic content. INP — defer non-critical JavaScript, break up long tasks, use requestIdleCallback for analytics. Target: LCP under 2.5s, CLS under 0.1, INP under 200ms.

Why this matters: Google uses Core Web Vitals as a ranking factor. Bad scores mean lower search rankings AND higher bounce rates.

SEO

4 prompts

Meta tags, structured data, sitemaps, and discoverability

Add Meta Tags to Every Page

CursorClaudeChatGPT
Add unique title tags and meta descriptions to every page. Titles under 60 characters with the page's primary keyword. Descriptions under 155 characters with a benefit and call to action. For dynamic pages, generate from content. Add Open Graph tags (og:title, og:description, og:image, og:url) and Twitter Card tags (summary_large_image) to every page.

Why this matters: Most vibe-coded apps have the same generic title on every page. Unique meta tags are the single highest-ROI SEO change.

Add Schema.org Structured Data

CursorClaude
Add Schema.org structured data using JSON-LD: Organization schema on the homepage, SoftwareApplication schema on product pages, Article schema on blog posts, FAQPage schema on FAQ sections, BreadcrumbList on all pages. Validate with Google's Rich Results Test. Include all recommended properties.

Why this matters: Structured data triggers rich results in Google — stars, prices, FAQs directly in search results. Free extra visibility.

Dynamic XML Sitemap

CursorClaude
Create a dynamic XML sitemap that includes all public pages with accurate lastmod dates. Exclude admin, auth, and API routes. Add the sitemap URL to robots.txt. Create a robots.txt that allows all public pages and blocks private routes. Add canonical URL tags to every page.

Why this matters: Without a sitemap, Google discovers pages slowly or not at all. Dynamic sitemaps ensure new content is indexed quickly.

Fix Semantic HTML

CursorClaudeChatGPT
Replace generic divs with semantic HTML: header, main, nav, section, article, aside, footer. Use exactly one h1 per page, h2 for sections, h3 for subsections — never skip levels. Add descriptive alt text to all images. Ensure the document has a logical heading hierarchy. Add aria-labels to interactive elements without visible text.

Why this matters: Semantic HTML helps both search engines and screen readers understand your content structure. It's also an accessibility requirement.

Deployment

3 prompts

Production readiness, CI/CD, and monitoring

Production Readiness Checklist

CursorClaudeChatGPT
Prepare this application for production: disable debug mode and verbose logging, remove console.log with sensitive data, set NODE_ENV to production, enable gzip compression, add error handling middleware that returns generic messages without stack traces, verify all required environment variables are set and fail fast if missing, add a health check endpoint at /api/health.

Why this matters: Debug mode in production leaks file paths, database queries, and environment details to anyone who triggers an error.

Add Error Monitoring

CursorClaude
Set up error monitoring and alerting: integrate Sentry (or similar) for automatic error capture on both client and server, add custom context (user ID, route, request ID) to error reports, configure alerts for error rate spikes, add performance monitoring for slow transactions. Exclude expected errors like 404s from alerts.

Why this matters: Without monitoring, you only learn about bugs when users complain — and most users just leave silently.

Basic CI Pipeline

CursorClaude
Create a GitHub Actions CI pipeline that runs on every pull request: install dependencies, run TypeScript type checking, run linting, run tests if they exist, build the application, and block merge if any step fails. Add a badge to the README showing build status.

Why this matters: A basic CI pipeline catches broken code before it reaches production. 10 minutes of setup saves hours of debugging.

Monetization

3 prompts

Payments, subscriptions, and going from free to revenue

Add Stripe Payments

CursorClaude
Integrate Stripe for payment processing. Create: a pricing page with monthly and annual plans, a checkout flow using Stripe Checkout (hosted), webhook handlers for checkout.session.completed and customer.subscription.updated events, a customer portal link for subscription management, and database fields to track subscription status. Use Stripe's test mode keys for development. Never log or expose Stripe secret keys.

Why this matters: Stripe Checkout handles the entire payment UI, PCI compliance, and global payment methods. Don't build a payment form yourself.

Add Feature Gating / Paywall

CursorClaude
Implement feature gating based on subscription tier. Create a helper function canAccess(user, feature) that checks the user's current plan against a feature matrix. Gate premium features in both the API (return 403 for unauthorized access) and the UI (show upgrade prompts instead of locked features). Include a free tier with basic functionality.

Why this matters: The freemium model converts 2-5% of free users. Gate enough value to incentivize upgrades but keep the free tier genuinely useful.

Usage-Based Billing

CursorClaude
Implement usage-based billing: track API calls or resource consumption per user in the database, set tier-based limits (free: 100/month, pro: 10000/month), show a usage dashboard with current consumption and limit, send warning emails at 80% and 100% usage, return 429 with upgrade prompt when limits are exceeded, report usage to Stripe for metered billing.

Why this matters: Usage-based pricing aligns cost with value delivered. Users pay for what they use, reducing churn from overpriced flat plans.

Pre-Launch

4 prompts

Validation, landing pages, and launch preparation

High-Converting Landing Page

CursorLovableBoltClaude
Create a landing page with these sections in order: hero with a clear headline stating the benefit (not the feature), a subheadline explaining who it's for, a primary CTA button, social proof (user count, testimonials, logos), a features grid showing 3-4 key benefits with icons, an FAQ section addressing objections, and a final CTA. Use a single-column layout, generous whitespace, and ensure it loads in under 2 seconds.

Why this matters: Your landing page has 3 seconds to communicate value. This structure follows the proven AIDA framework used by the highest-converting SaaS pages.

Waitlist with Email Collection

CursorLovableBoltClaude
Build a waitlist landing page: single email input with a submit button, store emails in the database with a timestamp, show a confirmation message with the user's position in the queue, send a welcome email using Resend or similar, add a referral mechanism where sharing a unique link moves you up the queue. Add a simple admin view to see total signups.

Why this matters: Validate demand before building. If you can't get 100 email signups, building the product is premature.

Add Analytics Without the Bloat

CursorClaude
Add privacy-friendly analytics: implement Plausible, Umami, or a custom lightweight solution that tracks page views, unique visitors, referral sources, and top pages without cookies. Add custom event tracking for key actions (signups, upgrades, feature usage). Create a simple admin dashboard showing trends. Do not use Google Analytics.

Why this matters: You need data to make decisions, but heavy analytics scripts slow your site and create GDPR headaches. Lightweight alternatives give the same insights.

Pre-Launch Audit

CursorClaudeChatGPT
Run a complete pre-launch audit: check all pages render without errors, verify all forms submit correctly, test all API endpoints with invalid input, check mobile responsiveness on 375px and 768px widths, verify meta tags and OG images on every page, test with JavaScript disabled, check all links for 404s, verify favicon and apple-touch-icon, test the signup and login flow end-to-end, and scan security headers. Create a report with pass/fail for each check.

Why this matters: Launch day bugs destroy first impressions. This 30-minute audit catches the issues that make users leave and never come back.

See how your app scores

Submit your app and we’ll scan your security headers automatically. Then use these prompts to fix what’s missing.

Submit Your AppRead Full Guides