Vibecoding
Build for the vibe, debug later
Start new thread
Peter Claridge

Securing your vibe-coded app - recommendations?

by
StreamAlive - Interactive PPT slides

What's the process to secure a vibe-coded app to make sure you haven't done anything silly like left your API tokens exposed in the browser or accessible via the DevTools console? Or to prevent cross site scripting attacks, or ensure forms only accept sanitized inputs that can't be used to manipulate the database. Or that your user authentication is safe and secure and no one is going to be able to login to someone else's account.

Do you hire an actual programmer or are there tools that can do it and get you to a pretty good state?

21 views

Add a comment

Replies

Best
Marcelo Arias

Good question!

Previously, my top security concern was primarily user data. But now that (we have vibecoding) we can work on multiple tasks simultaneously when deploying software, my approach is to run OWASP tests using the most intelligent model available for the website, and to do so regularly due to all the changes a website undergoes.

Some of the things OWASP reviews include:

  • Reviewing code for security vulnerabilities

  • Authentication or authorization: Like if a a user can impersonate you to access sensitive data

  • Handling user input or external data

  • Working with cryptography or password storage: Although in this case, I haven't stored passwords for many years, I always use third-party sign-in like with Google or Apple

Peter Claridge

@marcelo_earth Thanks for the advice! I researched OWASP some more as I hadn't heard of it before. I then generated the prompt below which I gave to Claude, which found a few issues like missing content-security-policy, strict-transport-security, x-frame-options, x-content-type-options, and referrer-policy.

You are acting as a senior web application security tester.

Your task is to review and test this application for vulnerabilities based on the OWASP Top 10 and common security mistakes found in AI-assisted or rapidly developed applications.

Your goals are to:
1. Identify real security vulnerabilities
2. Avoid false positives where possible
3. Explain risk clearly
4. Suggest practical fixes
5. Prioritize critical issues first

Focus especially on:

- Broken access control
- Authentication flaws
- Missing authorization checks
- IDOR vulnerabilities (Insecure Direct Object References)
- SQL injection
- XSS (stored, reflected, DOM)
- CSRF
- File upload vulnerabilities
- Exposed admin endpoints
- Sensitive data exposure
- Missing security headers
- Session/cookie weaknesses
- Hardcoded secrets/API keys
- Unsafe server actions/API routes
- Insecure direct database access
- Rate limiting issues
- SSRF
- Command injection
- Path traversal
- Open redirects
- Dependency vulnerabilities
- Misconfigured CORS
- Excessive error leakage
- Publicly exposed storage buckets/files

Instructions:

1. First map the application:
   - Routes
   - API endpoints
   - Authentication flows
   - User roles
   - Admin areas
   - File upload functionality
   - External integrations
   - Database interactions

2. Then test each area systematically.

3. Assume the frontend cannot be trusted.
   Verify all authorization server-side.

4. For every authenticated request:
   - Attempt horizontal privilege escalation
   - Attempt vertical privilege escalation
   - Change IDs/UUIDs/user IDs/account IDs
   - Test direct API access without UI restrictions

5. Treat all user input as hostile:
   - Forms
   - Query params
   - Headers
   - JSON payloads
   - Uploads
   - Rich text editors
   - Search fields

6. Look for:
   - Dangerous use of eval
   - Unsanitized HTML rendering
   - Unsafe SQL queries
   - Missing ownership checks
   - Missing middleware
   - Trusting client-side role checks
   - Exposed environment variables
   - Weak JWT validation
   - Missing CSRF protections
   - Unsafe redirects

7. Review dependencies and package configuration for known vulnerabilities.

8. Identify security headers that are missing:
   - CSP
   - HSTS
   - X-Frame-Options
   - X-Content-Type-Options
   - Referrer-Policy

9. For every issue found provide:
   - Severity
   - Description
   - Exact reproduction steps
   - Affected files/routes/components
   - Likelihood of exploitation
   - Recommended fix
   - Example secure implementation
   - How to retest after fixing

10. Distinguish clearly between:
   - Confirmed vulnerabilities
   - Suspicious patterns
   - Best practice improvements

11. Do not stop after finding one issue.
Continue until all major attack surfaces have been reviewed.

12. Be skeptical.
AI-generated applications often contain:
   - incomplete auth checks
   - hidden but unprotected admin APIs
   - insecure defaults
   - copied code patterns
   - inconsistent validation
   - missing backend protections

At the end:
- Produce a prioritized remediation list
- Highlight the top 5 most dangerous findings
- Identify any areas that could not be fully tested
- Estimate overall security maturity of the app

You are allowed to use terminal commands and security tools installed on the machine.

Run security tooling where appropriate, including:

- semgrep
- gitleaks
- npm audit
- pnpm audit
- yarn audit
- composer audit
- pip-audit
- safety
- bandit
- cargo audit
- trivy
- nuclei
- OWASP ZAP

When running tools:
1. Explain what you are running
2. Explain why you are running it
3. Summarize findings clearly
4. Avoid overwhelming output
5. Prioritize confirmed vulnerabilities
6. Distinguish low-risk informational warnings from real security issues

You may:
- inspect source code
- inspect environment configuration
- review package manifests
- analyze API routes
- test local endpoints
- run passive scans
- fuzz non-destructive inputs

Do NOT:
- perform destructive actions
- delete data
- modify production systems
- DOS/flood endpoints
- exfiltrate secrets externally

Assume the application is running locally in a development environment, or ask me to follow your instructions if it is not.
Juniper Vale

exposed api keys are the ultimate vibe killer lol, a dedicated ai security scanner for mvps would save so much anxiety