Anyone actually checked their vibe-coded app for security holes, or just hoping for the best?
Been thinking about this after seeing a few posts here about vibe-coded apps breaking in production. Auth bugs, webhook failures, that kind of thing.
What worries me more is the stuff that doesn't break loudly. No error, no crash, it just quietly leaks data or accepts requests it shouldn't. Things like exposed API keys sitting in the frontend bundle, missing rate limits, or database rules that let any logged in user read rows that aren't theirs. None of that throws an error. It just sits there until someone finds it.
For the non-engineers building real products with this stuff, what does your actual security check look like before you launch. Are you running anything to scan for this, paying someone to review it once, asking the AI itself to audit its own code, or just shipping and hoping nothing bad happens.
Curious if there is an actual workflow people are settled on, or if this is still the part everyone quietly skips.
Replies
for me , hoping isn't a security strategy. I'd run at least a basic security review before trusting any vibe-coded app with real users or data.
@yusuf_abdulaziz generated code is secure. For me, security checks are part of building, not an afterthought.
@yusuf_abdulaziz @isabella_wandrei Found that vibe coding speeds up development, but I never assume the output is safe. I still review the code, test endpoints, and look for obvious security gaps before moving forward.
Honestly, I'd love to see a "pre- launch security checklist" become as common as a deployment checklist. It feels like we're missing that standard .
@alan_gregory Yeah exactly, deployment checklists are just accepted at this point, nobody skips them. Security never got that same status for solo builders, it's always optional until it isn't.
Even a short list would help. Check for exposed keys in the bundle, make sure row access is actually locked to the right user, make sure nothing's missing a rate limit. Doesn't take a security background, just takes someone telling you to check before shipping instead of after.
The scary bugs aren't the ones that crash your app they're the ones that quietly work exactly as an attacker hopes. 😅
@craig_bennett1 Can't agree more. A crash is annoying but at least it's honest, it tells on itself immediately. The stuff that just works quietly in someone else's favor can sit there for months with nobody noticing, and by the time it does show up it's not a bug report, it's a breach.