Pre-Launch Security Checklist

15 essential checks AI coding tools miss - with copy-paste fix prompts

15 min audit 15 checks
Quick Answer

Before launching your vibe coded app, check 5 areas: authentication (login, passwords, sessions), authorization (who can access what), data protection (no hardcoded secrets), input/output (SQL injection, XSS), and infrastructure (CORS, rate limiting). Based on OWASP ASVS essentials.

0 / 15 Checked
0 Issues Found

Why this checklist?

AI coding tools generate working code, not secure code. The OWASP ASVS has 300+ requirements - this checklist covers the critical 15 items that Cursor, Bolt, and Claude Code commonly miss.

Authentication

Login, passwords, and sessions

1

Protected endpoints require authentication

Critical

AI Pattern: AI creates functional routes without auth middleware

Quick Check: All /api/* routes that need protection have auth middleware

Missing Authentication
2

Passwords are hashed with bcrypt or Argon2

Critical

AI Pattern: AI sometimes uses weak hashing or stores plain text

Quick Check: No plain text passwords, no MD5/SHA1 for passwords

Credential Security
3

Sessions use httpOnly, secure cookies

High

AI Pattern: AI often uses localStorage or insecure cookies

Quick Check: Session cookies have httpOnly and secure flags

OWASP Session Management
4

Rate limiting on login endpoints

High

AI Pattern: AI never adds rate limiting unless explicitly asked

Quick Check: Login and registration endpoints have rate limiting

Rate Limiting

Authorization

Access control and ownership

5

Users can only access their own data

Critical

AI Pattern: AI checks if logged in, but not if authorized for THIS resource

Quick Check: Changing IDs in URLs doesn't expose other users' data

IDOR Vulnerabilities
6

Admin routes are protected with role checks

Critical

AI Pattern: AI creates admin features without role verification

Quick Check: Admin-only functionality requires admin role check

Role-Based Access
7

Database queries include ownership checks

High

AI Pattern: AI fetches by ID without verifying ownership

Quick Check: RLS enabled (Supabase) or WHERE user_id added (SQL/Prisma)

Row Level Security

Data Protection

Secrets and sensitive data

8

No hardcoded secrets in code

Critical

AI Pattern: AI generates example keys that get committed

Quick Check: API keys, database URLs in environment variables only

Hardcoded Secrets
9

.env files are gitignored

Critical

AI Pattern: AI sometimes puts secrets in committed files

Quick Check: .gitignore includes .env, .env.local, .env.*.local

Secret Management
10

Service keys not exposed to client

Critical

AI Pattern: AI confuses client and server contexts

Quick Check: NEXT_PUBLIC_ not used for secrets, service_role server-only

Client vs Server Keys

Input/Output

Validation, injection, and XSS

11

Database queries use parameterized statements

Critical

AI Pattern: AI uses template literals because they're readable

Quick Check: No template literals with user input in SQL

SQL Injection
12

User input is validated server-side

High

AI Pattern: AI validates in frontend, forgets backend

Quick Check: Zod, yup, or manual validation in API routes

Input Validation
13

No raw HTML rendering with user content

Critical

AI Pattern: AI uses innerHTML for flexibility

Quick Check: No dangerouslySetInnerHTML, v-html, or @html with user data

XSS Prevention

Infrastructure

CORS, headers, and rate limiting

14

CORS configured with specific origins

High

AI Pattern: AI uses wildcard to "fix" CORS errors

Quick Check: Not using origin: '*' with credentials

Insecure CORS
15

Rate limiting on API endpoints

Medium

AI Pattern: AI never adds rate limiting to general APIs

Quick Check: Protection against DoS and API abuse

API Rate Limiting

Complete AI security audit prompt

Copy this prompt to run all 15 checks at once in your AI coding tool:

AI Security Fix Prompt 
Perform a security audit of my codebase using this checklist:

## 1. Authentication Checks
- Search for all API routes. Verify protected routes have auth middleware (getServerSession, auth checks)
- Find password storage patterns. Verify bcrypt (10+ rounds) or argon2 is used
- Check session/cookie configuration for httpOnly: true and secure: true flags
- Find auth endpoints (/login, /register). Verify rate limiting is applied

## 2. Authorization Checks
- Search for queries by ID (findById, where: {id}). Verify ownership checks exist
- Find admin routes/pages. Verify role checks (isAdmin, role === "admin")
- Check Supabase RLS policies. For Prisma, verify user_id in WHERE clauses

## 3. Data Protection Checks
- Search for hardcoded patterns: sk-, pk-, api_key, secret, password in source files
- Verify .gitignore includes .env* patterns
- Check git history for committed secrets: git log -p | grep -i "password\|secret\|api_key"
- Find NEXT_PUBLIC_ variables. Verify none contain secrets

## 4. Input/Output Checks
- Search for $queryRawUnsafe, template literals in SQL, string concatenation
- Find API routes accepting user input. Verify Zod/yup validation exists
- Search for dangerouslySetInnerHTML, v-html, @html. Verify user input is sanitized

## 5. Infrastructure Checks
- Search for CORS configuration. Flag origin: '*' with credentials
- Find public API endpoints. Verify rate limiting middleware exists

For each issue found:
1. Show the file and line number
2. Explain the vulnerability
3. Provide the fixed code

Output a summary table:
| Check | Status | File | Issue |
|-------|--------|------|-------|

Frequently asked questions

What security checks should I do before launching?

Focus on the critical 15: authentication on protected routes, password hashing, secure sessions, rate limiting on login, IDOR prevention, admin role checks, database ownership filters, no hardcoded secrets, gitignored env files, server-only secrets, parameterized queries, server-side validation, XSS prevention, CORS configuration, and API rate limiting.

How do I secure my AI-generated app?

Use the AI fix prompt in this checklist to scan your vibe coded app automatically. AI tools prioritize working code over secure code, so they commonly miss authentication on routes, ownership checks in queries, and use insecure defaults like CORS wildcards. This checklist catches the top 15 issues AI tools miss.

What are the minimum security requirements for a web app?

At minimum: authentication on protected routes, hashed passwords, ownership checks on data access, no hardcoded secrets, parameterized database queries, and input validation. The OWASP Application Security Verification Standard (ASVS) defines three levels - this checklist covers Level 1 essentials that every app needs.

How long does a security audit take?

This pre-launch checklist takes about 15 minutes with the AI fix prompts. A full professional penetration test takes days or weeks. For vibe coded MVPs, this checklist catches the critical issues that would make you an easy target. Run it before every launch, then consider professional testing as you scale.

Can I automate security checks?

Yes. Copy the AI fix prompt to your AI coding tool (Cursor, Claude Code) to automatically scan your codebase. For CI/CD, use tools like Semgrep, Snyk, or GitHub CodeQL. vibeship scanner is specifically designed for AI-generated code patterns that generic tools miss.

Related guides

SQL Injection

The #1 database vulnerability in AI-generated code

Cross-Site Scripting

When AI uses dangerouslySetInnerHTML without sanitization

Hardcoded Secrets

API keys and credentials committed to git

Next.js + Supabase

RLS, service keys, and authentication patterns

Automated Security Scanning

vibeship scanner runs these checks automatically and catches patterns specific to AI-generated code.

Scan your code free