Vibe Coding Security Checklist 2026

Vibe coding changed how software gets built. In 2026, millions of applications running in production were created through natural language prompts in tools like Replit, Bolt, Lovable, Cursor, and v0. Many of these apps handle real user data, process real payments, and support real businesses.

This checklist exists to close the security gap. It's designed specifically for vibe-coded applications — the patterns, frameworks, and deployment platforms that AI coding tools actually produce.

Section 1: Secrets and API Keys (Critical)

This is the single most important section. More vibe-coded apps are compromised through exposed secrets than any other vulnerability category.

• Audit every environment variable — ensure API keys are in server-side variables only. In Next.js, no NEXT_PUBLIC_ prefix for secrets. In Replit, use the Secrets tab.
• Check client-side JavaScript bundles — open DevTools Sources tab and search for "sk_", "key_", "secret", "token", "Bearer"
• Rotate any previously exposed secrets — if keys were ever in client-side code, generate new ones immediately
• Never commit secrets to Git — use .gitignore from the start

Vuln0x scanner: Client-Side Secret Leakage (1 credit)

Section 2: HTTP Security Headers (Critical)

• Content-Security-Policy (CSP) — set default-src 'self' at minimum to prevent XSS
• Strict-Transport-Security (HSTS) — enforce HTTPS with max-age=31536000; includeSubDomains
• X-Frame-Options — set to DENY or SAMEORIGIN to prevent clickjacking
• X-Content-Type-Options — set nosniff to prevent MIME-sniffing
• Referrer-Policy — use strict-origin-when-cross-origin
• Permissions-Policy — disable unused browser features

Vuln0x scanner: HTTP Security Headers (1 credit)

Section 3: SSL/TLS Configuration (High)

• Ensure HTTPS-only access with proper redirects
• Use TLS 1.2 or 1.3 — disable TLS 1.0/1.1
• Verify complete certificate chain
• Monitor certificate expiration

Vuln0x scanner: SSL/TLS Certificate (1 credit), SSL Deep Analysis (5 credits)

Section 4: CORS Configuration (High)

• Never use Access-Control-Allow-Origin: * on authenticated endpoints
• Don't reflect Origin header without validation
• Be careful with Access-Control-Allow-Credentials: true

Vuln0x scanner: CORS Configuration (1 credit)

Section 5: Authentication and Sessions (High)

• Store tokens in HttpOnly cookies, not localStorage
• Implement CSRF protection with SameSite cookies
• Enforce session expiration (idle + absolute timeouts)
• Validate JWT properly: signature, expiration, issuer, audience
• For OAuth: validate redirect URIs, use state parameter, implement PKCE

Vuln0x scanners: Credential Security (8), Session Security (5), JWT Security (5), OAuth Security (5)

Section 6: Injection Prevention (High)

• Use parameterized queries or ORM — never concatenate SQL
• Rely on React's built-in escaping — avoid dangerouslySetInnerHTML
• Validate and whitelist server-side URL fetching destinations
• Never pass user input to shell commands

Vuln0x scanners: SQL Injection (10), XSS (10), Command Injection (8), SSRF (8)

Section 7: Exposed Files and Directories (Medium)

• Check yourdomain.com/.env — should return 404
• Check yourdomain.com/.git/config — should return 404
• Remove backup files (.bak, .old, .sql) from public directories
• Block access to Next.js build artifacts

Vuln0x scanner: Directory & File Exposure (5 credits)

Section 8: DNS Security (Medium)

• Configure SPF records for email authentication
• Set up DMARC with at least p=quarantine
• Enable DNSSEC if supported
• Add CAA records for certificate authority restriction

Vuln0x scanner: DNS Security (5 credits), Subdomain Discovery (8 credits)

Section 9: Cookie Configuration (Medium)

• Set Secure flag on all cookies
• Set HttpOnly on session cookies
• Set SameSite=Lax or Strict
• Configure appropriate path restrictions and expiration

Vuln0x scanner: Cookie Security (1 credit)

Section 10: Continuous Monitoring (Ongoing)

• Set up weekly scheduled scans minimum
• Integrate scanning into CI/CD pipeline via Vuln0x REST API
• Use SARIF export for GitHub Security tab integration
• Track security score over time — aim for improvement, not perfection

Quick Start

Run a Vuln0x Full Scan (10 credits) or Full Deep Scan (20 credits) to check your app against this entire checklist at once. Sign up at vuln0x.com for 20 free credits — no credit card required.

For the most thorough assessment, Sentinel — the AI penetration testing agent — goes beyond automated scanning with 29+ professional security tools and a 7-phase attack methodology.

The goal isn't a perfect score on day one. The goal is to know where you stand, fix the critical issues, and establish a process for continuous improvement.