There’s been a lot of talk lately about “vibe-coding.” To some, it’s a fun, expressive way to build apps: lo-fi beats in the background, fluid design choices, fast iteration, and minimal gatekeeping. Junior devs and non-developers are especially embracing it as an accessible way into tech.
Some experienced developers are calling it out. The aesthetics or creativity aren’t to blame, but a lot of vibe-coded apps are shipping without basic security. And they’re not wrong: several of these apps have already suffered serious breaches, putting user data and trust at risk.
This checklist is built for vibe-coders, the indie devs, solo hackers, and rapid prototypers who care about building fast, but don’t want to ship insecure junk. Let’s break down the essentials.
Use Environment Variables for Secrets
This is perhaps the most critical tip in this post, as we have recently seen with the Tea app data breach, hardcoding your secret API keys, database connection strings, or really anything that shouldn’t be public, and serving them on the front-end is a terrible idea.
If your application is lacking an .env file, but it’s storing data (i.e. images, text, etc.), there’s a good chance something isn’t configured properly, and it’s best to figure it out as soon as possible.
You should also have a .gitignore file which has the .env specified, as you don’t want your API keys committed to GitHub, especially if it’s a public repository.
Tip: Use a secrets scanner (like GitGuardian, truffleHog, or gitleaks) to detect hardcoded secrets before committing code.
Sanitize User Input
If your app takes any input from users, assume it’s trying to break your app. SQL injection, XSS, and command injection are still very real.
router.post('/settings', (req, res) => {
const name = req.body.name;
User.updateById(req.user.id, { name });
res.send('Updated');
});
This code (while not valid, just an example) shows a POST request made to the /settings route, which just updates a name field in the database. Do you see a potential problem? If you don’t, it’s probably a good thing that you’re reading this article.
The code is not verifying anything at all. The user could supply whatever they want, and it will be stored within the database. They could do all sorts of nasty things here.
If you’re going to publish your AI-made application, please do inspect the server code. You can even tell the AI-bot to “make sure the application is secure”.
Tip: Make sure your inputs are sanitized and validated.
Set Secure Headers
HTTP security headers are one of the simplest and most powerful ways to protect your app from common web vulnerabilities like XSS, clickjacking, and MIME-type sniffing. They require little effort but deliver strong security defaults, a classic vibe-coder win.
Tools like Helmet.js make it even easier to set up, and it’s usually only a few lines of code.
const helmet = require('helmet');
app.use(helmet());
Tip: Don’t ship your app without secure headers. This is a zero-brainer vibe-coding win that stops real-world attacks with just a few lines of code.
Avoid Exposing Stack Traces in Production
During reconnaissance (the process of actively or passively gathering information on a target), attackers would love to get a glimpse of a stack trace, as it allows them to gather valuable information about the technology used for an application. Similarly, uncaught 404s can leak app structure or confuse users. Keep it clean and generic in production.
Make sure these code snippets (really, a variation of them) are included in your codebase.
// for 500 server errors
app.use((err, req, res, next) => {
res.status(500).json({ message: 'Server error' });
});
// for 404 Not Found errors
app.use((req, res) => {
res.status(404).json({ message: 'Not found' });
});
Implement Rate Limiting & Basic DDoS Protection
Even the smallest side project can get hit with bots, brute-force attacks, or traffic floods. A single exposed route, like /login or /signup, can bring your app to its knees if not protected. Rate limiting keeps things sane and helps filter out abuse before it hits your logic.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
});
app.use(limiter);
Tip: Ensure your application has some sort of rate limiting in place. It’s a good idea to use a CAPTCHA system as well.
Keep Dependencies Updated
You might think that once you build something, that’s it. But that’s far from the truth. Most applications are made with other people’s work. The dependencies in your application can go out of date, or have security vulnerabilities.
Make sure your packages stay up-to-date. There are tools like Snyk which you can configure to watch for vulnerabilities or outdated packages in your GitHub repository.
Tip: Run npm audit frequently. Watch out for abandoned packages or supply chain attacks.
Limit File Uploads and Validate File Types
Letting users upload files without and validation is extremely risky. Malicious uploads can lead to XSS, remote code execution, server overload, or even complete system takeover.
A simple .jpg might not be a cat photo, it might be a payload in disguise. A CSV file can inject scripts if previewed in the browser (<script>alert('xss')</script>). A large file can crash your application or eat up storage. Fake extensions (.jpg that’s really an .exe) can fool basic filters.
Tip: Use libraries like multer to limit size and type. Never let users upload files directly into your public directory. Always validate file content, not just the extension.
Protect Your Routes
Every application should have some sort of middleware to determine whether a user can access certain routes. You wouldn’t want everyone who signs up to your platform to have the ability to access the /admin route, for example. If you’re not quite sure if this is in place, simply open up an incognito tab and try to view a route that you think no one should have access to.
Tip: Require authentication and authorization. Use route guards or middleware.
Final Thoughts
Vibe-coding isn’t about being reckless, it’s about flow. But flow shouldn’t come at the cost of getting pwned. By baking in these lightweight security habits, you can keep building fast and smart.
Save this checklist. Bookmark it. Tattoo it on your repo.
Just don’t ship your app without it.
Note: This list is still missing a lot of things. Use it as a starting point, but never assume your application is 100% secure.
About the Author
Matt Fay
Matt is the founder of JavaScript Today, a platform dedicated to high-quality JavaScript education and commentary. With a deep curiosity for technology, he gravitates toward understanding how things work and has been diving into the world of information security. Outside of coding, Matt enjoys exploring languages; he can understand some Russian and Italian, and is currently learning Thai.
Discussion (Loading...)
Join the Discussion
Sign in to share your thoughts and engage with the JavaScript Today community.
