Security
Security essentials
The handful of security things that go wrong in AI-built apps, and how to ask for them done right.
Knowledge cards
Knowledge card
Add Authentication and Authorization Early
Two related but distinct protections every multi-user app needs: authentication (proving who a user is — login) and authorization (deciding what that user is allowed to do and see). AI-built apps often get a login screen but skip real authorization, so once you're logged in you can reach data that isn't yours.
Mistake
Don't Ship the AI's Insecure Defaults
The quiet class of security holes that come not from missing code but from settings the AI leaves in a convenient-for-development, dangerous-for-production state: debug mode on, verbose error messages that leak internals, wide-open cross-origin (CORS) rules, default admin credentials, and permissive file or bucket permissions.
Mistake
Never Put Secrets in the Frontend
The single most common security mistake in AI-built apps: a secret — an API key, a database password, a payment or email provider token — ends up in code that runs in the user's browser, where anyone can read it by opening developer tools. AI does this constantly because the quickest way to make a feature work is to put the key right where it's used.
Best practice
Validate Every Input and Lock Down Your Database
Two defences that guard your data: validating every input the app receives (never trusting what comes from the browser), and configuring database access rules so each user can only read and write their own data. AI frequently ships apps that trust all input and leave the database open, which is how one crafted request dumps or corrupts everything.
Best practice
The Vibecoder's Security Checklist
The short, non-negotiable list of security things to get right in any app you build by vibecoding. It exists because AI reliably produces code that works in a demo and is wide open in production, and none of these gaps show up when you test your own app — only when someone malicious does.