The Vibe Coding Security Checklist

Every item below exists because someone actually got burned. Our Security Brain distills real incidents, advisories and research into checks; the list grows every week. Currently 29 checks, version 1.

Get every update of this checklist in your inbox (free, weekly):

The Vibe Coding Security Checklist

Auto-generated from 10 real incidents and advisories tracked by the VibeSec Security Brain. Updated 2026-07-04.

Ship fast. Don't get hacked.

Authentication

  • Implement authentication for all API endpoints, not just UI routes.
  • Regularly review and audit generated code for security vulnerabilities.
  • Utilize security testing tools to identify unauthenticated endpoints.
  • Implement strict validation for incoming headers in middleware.
  • Regularly review and test middleware for potential auth bypass vulnerabilities.
  • Ensure comprehensive unit and integration tests covering various header manipulations.
  • Explicitly configure the session strategy in the credentials provider.
  • Regularly audit authentication settings for correct configurations.
  • Ensure that testing includes verification of session token handling.
  • Implement rigorous code review practices focusing on security

Secrets Management

  • Implement secrets management tools to store and access sensitive data securely.
  • Educate developers on reviewing LLM-generated code for secrets exposure.
  • Integrate security-focused code reviews in the development process.
  • Implement a secrets management solution to store sensitive information securely.
  • Use dynamic configuration to retrieve secrets at runtime instead of hardcoding them.
  • Regularly scan codebases for hardcoded secrets using automated tools.
  • Ensure Firebase configurations are not hardcoded into public repositories or templates.
  • Implement strict access rules and permissions on Firebase databases.
  • Regularly audit and check configurations generated from templates for security best practices.
  • Implement a secrets management tool to securely store and retrieve secrets.

Supply Chain

  • Require user confirmation before running scripts from new repositories.
  • Implement security prompts to warn users about potentially malicious configurations.
  • Establish a predefined list of trusted repositories and restrict execution to those sources.

Authorization

  • Implement strict server-side authorization checks for API endpoints.
  • Use unique identifiers that are not easily guessable for project IDs.
  • Conduct regular security audits to identify and fix potential IDOR vulnerabilities.

Ai Agent Security

  • Implement strict input validation on prompts before processing.
  • Use contextual awareness to limit command execution capability based on user roles.
  • Regularly audit and test for potential injection vectors in AI interactions.