VCVibeCodedCommunity-Driven AI Builder OS
Menu
Start creating
Secure vibe coding

The tool drafts. You stay accountable.

Security research through 2026 keeps finding the same thing: a large share of AI-generated code — by several studies, well over half — ships with at least one real vulnerability. That isn’t a reason to stop building with AI. It’s a reason to read what it wrote. Speed is the gift; review is the rent. Run this checklist before anything you build reaches a real user.

Build accountably Legal basics
Why this matters. AI writes plausible-looking code fast, but it doesn’t carry the consequences — you do. The vulnerabilities researchers find most often aren’t exotic: leaked secrets, missing access checks, and untrusted input. The good news is they’re also the easiest to catch once you know to look.

Six checks before you ship

Operationalise “the tool drafts, you stay accountable” — six places to look every single time, in plain English.

Never commit secrets

API keys, database passwords, and .env files must never land in your repo or git history — once pushed, treat them as leaked forever. Keep secrets in environment variables, add .env to .gitignore, and use your host's secret manager. If a key ever leaks, rotate it immediately, because a leaked payment or database key can quietly drain real money.

Verify auth and access control

Broken access control is the single most common cause of real breaches — one user reaching another user's data because nothing checks who is asking. AI often scaffolds the login screen but skips the server-side check on every protected route and record. Confirm that each request proves who the user is, and that they're only allowed to touch their own data.

Validate every input

Treat anything from a user — forms, URLs, file uploads, API calls — as untrusted until you've checked it. Validate type, length, and format on the server, and use parameterised queries so input can never be run as code. This is how you shut the door on SQL injection, broken file uploads, and a dozen other classic bugs.

Never trust the client for money

Anything in the browser can be edited by the user, so a price or an “isPaid” flag from the front end is a suggestion, not a fact. Calculate amounts on the server, verify every payment with the provider's webhook or API before you grant access, and never let a client-side check be the only thing standing between someone and your product.

Turn on row-level security

If you use Supabase, Postgres, or a similar database, enable row-level security so the database itself enforces who can read or write each row. Without it, one API mistake can expose every user's records at once. Set policies, then test them by signing in as a normal user and trying to reach data that isn't yours.

Check your dependencies

AI loves to pull in packages — some outdated, some abandoned, occasionally some that don't exist or are typo-squats of real ones. Run an audit (npm audit, or your tool's equivalent), keep dependencies current, and remove anything you're not actually using. Every package you add is code you're now responsible for.

Before you ship

Run down this list every release.

If you can’t tick all six honestly, you’re not ready to ship to real users yet. None of these takes long once it’s a habit.

  • No secrets, keys, or .env files anywhere in Git or its history.
  • Every protected route and record checks who the user is on the server.
  • All user input is validated server-side and queries are parameterised.
  • Prices and access are verified on the server, never trusted from the browser.
  • Row-level security is on, with policies tested as a normal signed-in user.
  • Dependencies are audited, current, and trimmed to what you actually use.
The accountable-builder rule: never ship code you haven’t read, and never let “the AI wrote it” be your answer when something breaks. You shaped it, you reviewed it, you own it — and that’s exactly why people can trust what you build.
Now cover the legal basics See how we prove our own work