Vibe Coding Security Checklist
A comprehensive security checklist for reviewing AI-generated code before deploying to production.
Why AI Code Needs Security Review
AI models learn from public code, which includes millions of insecure examples. Studies show AI-generated code contains security vulnerabilities at rates 30-40% higher than human-written code, primarily in authentication, input validation, and crypto implementation.
Authentication and Authorization
- ☐ Passwords hashed with bcrypt/scrypt/argon2 (NOT md5/sha256)
- ☐ JWT secrets stored in environment variables, not hardcoded
- ☐ Token expiration set (access: 15min, refresh: 7 days typical)
- ☐ Authorization checks on every protected endpoint
- ☐ Role-based access control implemented server-side
- ☐ Session invalidation on password change
Input Validation
- ☐ All user inputs validated and sanitized server-side
- ☐ SQL queries use parameterized statements (NOT string interpolation)
- ☐ HTML output escaped to prevent XSS
- ☐ File uploads validated for type, size, and content
- ☐ URL parameters validated against expected formats
- ☐ JSON request bodies validated against schemas
API Security
- ☐ CORS configured to specific origins (NOT wildcard *)
- ☐ Rate limiting implemented on all endpoints
- ☐ API keys not exposed in client-side code
- ☐ HTTPS enforced (HTTP redirects to HTTPS)
- ☐ Security headers set (CSP, HSTS, X-Frame-Options)
- ☐ Error messages don't leak internal details
Data Protection
- ☐ Sensitive data encrypted at rest and in transit
- ☐ PII handled according to GDPR/CCPA requirements
- ☐ Secrets never committed to version control
- ☐ Logging excludes sensitive data (passwords, tokens, PII)
- ☐ Database connections use least-privilege accounts