Vibe Coding Security Checklist
27 actionable steps to secure your AI-built app. Works for Lovable, Bolt, Cursor, Replit, Windsurf, and any vibe-coded project.
API Keys & Secrets
- No hardcoded API keys in client-side code
- Supabase service-role key is server-side only
- Environment variables are not leaked in the build
- Third-party API keys use restricted permissions
- .env files are in .gitignore
Database Security & RLS
- Row Level Security is enabled on every table
- RLS policies follow least-privilege principle
- No tables use public access without RLS
- Foreign key references don't expose auth.users
- Database functions use SECURITY DEFINER carefully
Authentication & Authorization
- Email confirmation is required before login
- User roles are stored in a separate table
- Admin checks use server-side validation
- Protected routes redirect unauthenticated users
- Session tokens expire and refresh correctly
XSS & Injection Prevention
- No use of dangerouslySetInnerHTML with user input
- URL parameters are validated and sanitized
- No eval(), Function(), or innerHTML with dynamic data
- User-generated content is escaped in all contexts
Security Headers & CSRF
- Content-Security-Policy header is configured
- X-Frame-Options prevents clickjacking
- Strict-Transport-Security forces HTTPS
- CORS is configured with specific origins
Performance & Architecture
- JavaScript bundle is code-split and lazy-loaded
- Images are optimized and use modern formats
- No redundant API calls on page load
- No sensitive logic runs on the client