30 Security Tips Every Vibe Coder Needs to Know

I’ll be honest with you - I’ve made SO many security mistakes while vibe coding. Like, embarrassing ones. The kind where you accidentally push your API keys to GitHub and get a scary email from AWS at 2am. 😅

The thing is, vibe coding with tools like Claude, Copilot CLI and Bolt is incredibly fast. You can go from idea to working app in minutes. But here’s what nobody tells you when you’re starting out: speed without security is just asking for trouble.

So I put together everything I’ve learned into 30 tips that will save you from the mistakes I made. Whether you’re just starting your vibe coding journey or you’re already shipping real apps to real users, these tips are for you.

Let’s get into it!

Vibe Security Audit - Agent-Agnostic Security Skill for AI Coding

📚 Resources

🤖 I also made an Agent skill that you can add to your repos: ladydev.me/security-skill

🔐 A hacker created this Agent security skill you can use: github.com/BehiSecc/VibeSec-Skill

Part 1: The Foundations

These are the basics. Each one takes about 2 minutes to implement, and together they’ll protect you from the most common attacks. Start here.

1. Keep Your Secrets Out of Chat

When you paste API keys, passwords, or database URLs into ChatGPT or Claude, you’re potentially exposing them. AI models learn from data, and once a secret is in a chat, you’ve lost control of it.

Pro Tip: Use placeholders like YOUR_API_KEY in your prompts. Or better yet, ask the AI to write code that pulls secrets from environment variables from the start.

2. Watch Out for “Ghost” Packages

This one is wild - AI sometimes invents libraries that don’t exist! And hackers have caught on. They create malware packages with these made-up names, hoping you’ll install them without checking.

Pro Tip: Always verify packages exist before installing. Ask the AI for the npm or PyPI link, and check the download counts. If it’s suspiciously low, don’t use it.

3. Don’t Roll Your Own Auth

I know it’s tempting to let AI generate a custom login system for you. But authentication is where 90% of data breaches start, and AI-generated auth code usually has security holes you won’t see.

Pro Tip: Use established providers like Clerk, Supabase Auth, NextAuth, or Firebase. Tell the AI “Implement authentication using Clerk” instead of “Write a login page.”

4. Let AI Review Its Own Work

Here’s a trick I use all the time: after the code is working, I ask AI to audit it for security issues. The prompt I use is: “Act as a Senior Security Engineer. Audit this code for vulnerabilities like SQL injection or XSS and rewrite it to be secure.”

You don’t need to spot every vulnerability yourself - that’s what the AI is for!

5. Sanitize Everything

AI loves to take user input and put it directly into the database. This is literally how hackers delete your data (SQL injection is real, folks).

Pro Tip: Explicitly ask: “Ensure all database queries use parameterized queries to prevent SQL injection.” One unsanitized input can compromise your entire database.

6. Get Your .gitignore Right

Vibe coders move fast, and that means we sometimes accidentally push .env files with secrets to GitHub. Bots scan for exposed keys 24/7 - I’m not exaggerating.

Pro Tip: Before your first commit, ask the AI to generate a comprehensive .gitignore for your project type. Include all environment files and system logs.

7. Use Current Packages

AI training data has a cutoff date, which means it might suggest old library versions with known security holes. Attackers already know how to exploit these.

Pro Tip: Run npm audit after installing packages, or ask AI if there are newer, more secure versions you should use instead.

8. Add Rate Limiting Early

If you build a contact form or API endpoint without rate limiting, bots WILL find it. It’s not a question of if, it’s when. They’ll spam you with thousands of requests and rack up your API costs.

Pro Tip: Ask the AI to add rate limiting to every public endpoint from day one. Your wallet will thank you.

9. Ask AI to Hack You

This is one of my favorite tricks! Paste your code and ask: “If you were a hacker, how would you break this specific function? Tell me the exploit and the fix.”

AI knows attack patterns. Use that knowledge defensively.

10. Enable Row Level Security (RLS)

By default, most databases let anyone see everything. AI often skips RLS setup entirely, which is literally how data leaks happen.

Pro Tip: If you’re using Supabase, enable RLS on all tables from day one. Tell AI to set up policies so users can only see their own data. Then double-check it actually happened!

Part 2: Common Mistakes

You’ve got the foundations down. Now let’s tackle the intermediate issues that trip up even experienced developers.

11. Lock Down CORS

AI often sets CORS to * (allow all domains), which means anyone can call your API from any website. That’s bad.

Pro Tip: Tell the AI to configure CORS to only allow requests from your production domain.

12. Validate Redirects

If your login page uses ?redirect=/dashboard, attackers can change it to ?redirect=evil.com/phishing. Open redirects are the #1 way users get phished after logging in.

Pro Tip: Validate all redirect URLs against an allowlist before redirecting.

13. Secure Your Storage Buckets

When you vibe code file uploads, AI often makes the entire bucket public by default. One misconfigured bucket = all user files exposed to Google search. Yikes.

Pro Tip: Set storage policies so users can only access files they uploaded.

14. Clean Up Debug Statements

AI loves adding console.log(userData) to help you debug. That data shows up in production browser consoles where anyone with DevTools can see it.

Pro Tip: Before deploying, ask AI to remove all console.log statements and replace them with proper error logging.

15. Verify Your Webhooks

If you accept Stripe webhooks, anyone can POST fake data to that endpoint. Unverified webhooks = fake “payment succeeded” messages.

Pro Tip: Always verify webhook signatures using the provider’s SDK before processing any data.

16. Check Permissions Server-Side

Hiding a “Delete All” button in the UI doesn’t stop anyone from calling the API directly with curl. UI security is not security.

Pro Tip: Every protected route needs server-side permission checks before executing.

17. Keep Dependencies Updated

AI might scaffold with packages from years ago. Old versions = known exploits that attackers have automated tools for.

Pro Tip: Run npm audit fix after building and periodically check for updates.

18. Rate Limit Password Resets

Attackers love spamming the “forgot password” endpoint to flood inboxes or brute-force tokens.

Pro Tip: Limit to 3 password reset requests per email per hour.

19. Hide Your Error Details

When something breaks, AI often returns the full stack trace to users. This tells hackers your file structure and tech stack.

Pro Tip: Return generic error messages to users. Log the detailed errors server-side only.

20. Set Session Expiration

Default AI auth often keeps users logged in forever. One stolen cookie = permanent access to their account.

Pro Tip: Set JWT expiration to 7 days and implement refresh token rotation.

Part 3: Production Nightmares

Parts 1 and 2 keep you safe. Part 3 keeps you in business. These are the issues that come up when you have real users and real money on the line.

21. Protect All Your APIs

Your web app might be locked down, but what about your mobile API? If it has no rate limiting, attackers will find it and use it instead. They always attack the weakest entry point.

Pro Tip: Apply the same auth, rate limits, and validation to ALL endpoints.

22. Cap Your AI Costs

AI doesn’t set spending limits. One attacker hitting your OpenAI endpoint can rack up a $10K bill overnight. I’ve seen it happen.

Pro Tip: Set usage limits in your OpenAI dashboard AND rate limit the endpoint. Max 50 requests per user per day is a good starting point.

23. Use Proper Email Infrastructure

If your app sends spam (or gets hijacked to send spam), your domain gets blacklisted. That means no password resets, no notifications - your product is dead.

Pro Tip: Use a verified sending service like Resend or SendGrid with SPF/DKIM records configured.

24. Build Account Deletion

AI rarely includes proper account deletion. GDPR violations can result in fines up to 4% of global revenue - and one user complaint triggers an investigation.

Pro Tip: Create an endpoint that removes all user data from your database AND storage.

25. Automate Backups

AI doesn’t think about disasters. No backups = one bad migration deletes everything. Forever.

Pro Tip: If you’re on Supabase, enable Point-in-Time Recovery in your database settings. Whatever platform you use, automate this.

26. Rotate Your Secrets

Your API keys are probably in old commits, Slack messages, and screenshots. That key from your tutorial video? It might still work.

Pro Tip: Rotate all API keys every 90 days. Use GitHub’s secret scanning to find leaked keys.

27. Get DDoS Protection

Someone hits your site with 100K requests per second, your hosting bill spikes, and your site goes down. DDoS attacks are cheap and automated.

Pro Tip: Use Cloudflare’s free tier or Vercel’s Edge Config for rate limiting at the CDN level.

28. Limit Upload Sizes

AI doesn’t validate file sizes. Someone will upload a 500MB video to your “profile pic” field and your storage costs will spiral.

Pro Tip: Set max file size to 5MB for images and validate file types server-side.

29. Log Critical Actions

When something goes wrong (fraud, bugs, hacks), you need a record of who did what. No logs = no forensics.

Pro Tip: Create an audit_log table. Log every user deletion, role change, payment, and data export.

30. Separate Test and Production

Testing Stripe payments in production means test webhooks hitting real data. Test charges hitting real credit cards. It’s a nightmare.

Pro Tip: Use Stripe test mode keys and a completely separate database for staging.

Wrapping Up

Here’s the thing - security isn’t about being paranoid. It’s about respecting your users’ data and protecting the thing you’re building. Every tip here takes just a few minutes to implement, but together they’ll save you from the 3am panic attacks I’ve experienced.

Vibe coding is powerful. It lets us build things faster than ever before. But with that speed comes responsibility. Build fast, yes - but build smart and build securely.

If this guide helped you, share it with a fellow vibe coder. We all deserve to build apps that are safe for our users.

Which of these tips surprised you the most? I’d love to hear about your security wins (or horror stories 😅) - find me on socials and let’s chat!

Happy (and secure) coding!

Kedasha 🔐