Vibe coding security checklist — before your app goes viral

Twenty checks every vibe-coded app (Lovable / Bolt / v0 / Replit / Cursor) should pass before shipping to real users. The defense for when the Twitter tweet hits.

For: Indie founders shipping AI-built apps

Secrets

No API keys in the client bundle (check DevTools Network tab)critical
No secrets in git history
Every paid-API key has a daily spend cap

Database

Supabase RLS on every table / Firebase rules strictcritical
Service-role / Admin SDK keys server-only
Storage buckets private by default

Auth

Every state-changing API route requires auth
Session cookies have security flags
Password reset cannot enumerate users

AI features

Destructive tools not reachable from user content
Per-user rate limits on inference endpoints
Abuse-detection for sudden cost spikes

Before shipping

Run free scanner at /toolscritical
Install Securie GitHub App on the repo
Add a status page (status.yourapp.com)

Vibe coding security checklist — before your app goes viral · Securie