Vibe Code Audits

AI Code Security Checklist

A free checklist covering the most important security items for any AI-generated application. Use it before you launch.

1

Authentication & Sessions

Passwords are hashed with bcrypt, scrypt, or Argon2 (never stored in plain text)
Session tokens are generated with cryptographically secure randomness
Session expiration and idle timeout are configured
Password reset tokens are single-use and time-limited
Multi-factor authentication is available for sensitive actions
2

API Security

All API routes require authentication where appropriate
Rate limiting is applied to public-facing endpoints
API responses do not leak internal error details or stack traces
CORS is configured to allow only trusted origins
API keys are not exposed in client-side code or URL parameters
3

Database Security

Row Level Security (RLS) is enabled on all user-facing tables
Database queries use parameterised queries or an ORM (no raw string concatenation)
Database credentials are stored in environment variables, not in code
Backups are configured and tested for restoration
Sensitive data columns are encrypted at rest where required
4

Environment & Configuration

All secrets and API keys are stored in environment variables
No secrets are committed to version control (check git history)
.env files are listed in .gitignore
Production and development environments use separate credentials
Debug mode and verbose logging are disabled in production
5

Input Validation

All user inputs are validated on the server side (not just client-side)
File uploads are restricted by type, size, and scanned for malicious content
HTML output is escaped or sanitised to prevent XSS attacks
URL redirects are validated against an allowlist to prevent open redirect attacks
JSON and form data schemas are validated with a library like Zod or Yup

This checklist covers the basics.

Our professional audits go much deeper, including OWASP Top 10 assessment, data flow analysis, infrastructure review, and tool-specific vulnerability patterns. This checklist is a great starting point, but it is not a substitute for a thorough security review.

Want us to check all this for you?

Our security audits cover every item on this list and much more. Get expert eyes on your AI-generated code.

View Pricing

Ready to ship with confidence?

Get your AI-generated app audited by UK security experts.

See Pricing

Or email us at hello@vibecodeaudits.co.uk