𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝗳𝗼𝗿 𝗩𝗶𝗯𝗲 𝗖𝗼𝗱𝗶𝗻𝗴
AI allows people without technical backgrounds to build software. I saw a researcher use Claude to revive a dead platform. She reduced costs and improved performance without being a professional developer.
This is amazing. It is also risky.
Vibe coding means building software with heavy AI help without mastering the underlying code or architecture. If you put code into production, you are a developer. That means you carry responsibility.
Vibe coding a personal blog is fine. Vibe coding a system with payments, logins, and user data is different. AI can write great code, but it can also write dangerous security flaws.
If you use AI to manage a web project, do not just ask it to make things work. Use it to find risks. Use these questions to audit your project before you go live:
- Map your sensitive areas: Where are the logins, payments, and personal data?
- Check for exposed secrets: Are your Stripe keys, passwords, or database credentials visible in the code or frontend?
- Audit dependencies: Are your libraries outdated or full of known vulnerabilities?
- Review authentication: How do users log in? Are sessions and cookies configured correctly?
- Check authorization: Can a regular user access admin data just by changing a URL ID?
- Protect admin functions: Is the admin panel hidden by UI only, or is it blocked on the server?
- Verify payments: Does your server confirm payments via webhooks, or does it just trust the frontend?
- Test webhooks: Can someone fake a payment notification to your system?
- Validate all inputs: Do your forms and search bars protect against injection attacks?
- Limit usage: Can bots spam your login or search tools to drive up your costs?
- Monitor error logs: Do your error messages leak database details or passwords to users?
- Secure file uploads: Are you limiting file types and sizes to prevent attacks?
- Compare environments: Are you accidentally using test keys or debug modes in production?
- Create simple tests: Can you prove that a user cannot access another person's data?
- Ask about uncertainty: Ask the AI, "What security risks can you NOT verify?"
Do not ask the AI if your project is safe. Ask it to show you where the uncertainty lies.
If your project affects real people or real money, seek professional help. Use AI to ask better questions, not to replace human oversight.
Source: https://dev.to/marciofrayze/15-perguntas-de-seguranca-para-quem-esta-praticando-vibe-coding-1h7j