Vibe coding has lowered the barrier to shipping software to nearly zero. Anyone can go from idea to deployed app in hours using Bolt.new, Lovable, Cursor, or Claude Code. That is the upside.
The downside: AI models generate code that works, not code that is secure. Security researchers have consistently found that AI-generated applications frequently contain critical vulnerabilities — from exposed secrets to injectable queries. These are not theoretical risks — they are actively exploited in the wild.
This guide covers the 10 most common security risks in vibe-coded apps, with real statistics, explanations of why vibe coding causes them, and concrete fixes for each one. There is a deployment checklist at the end.
Exposed API Keys and Secrets
Exposed secrets are one of the most common issues in vibe-coded repos, since AI models rarely use environment variables by default
Why Vibe Coding Causes This
AI models generate code that works, not code that is secure. When you ask for a Stripe integration, the AI often hardcodes the API key directly in the source file. Vibe coders who do not understand environment variables push these secrets to public repos.
How to Fix It
Use .env files for all secrets. Add .env to .gitignore before your first commit. Use tools like git-secrets or trufflehog to scan for exposed credentials. Never hardcode API keys, database URLs, or tokens in source files.
SQL Injection Vulnerabilities
Many AI-generated database queries use string concatenation instead of parameterized queries, making them vulnerable to injection
Why Vibe Coding Causes This
AI models frequently generate string-concatenated SQL queries instead of parameterized queries. When you say "build me a search feature," the model might write code that directly inserts user input into a SQL string.
How to Fix It
Always use parameterized queries or an ORM (Prisma, Drizzle, SQLAlchemy). Never concatenate user input into SQL strings. If the AI generates raw SQL, rewrite it with parameterized placeholders before shipping.
Missing Authentication and Authorization
A common issue in vibe-coded apps is shipping API routes with no authentication or authorization checks
Why Vibe Coding Causes This
You ask the AI to build an API endpoint and it builds one that works for the happy path. It rarely adds authentication middleware unless you specifically ask. Vibe coders often forget that every API route is publicly accessible by default.
How to Fix It
Add auth middleware to every API route that handles user data. Use a proven auth library (NextAuth, Clerk, Supabase Auth). Check both authentication (who are you?) and authorization (what can you access?) on every protected endpoint.
Cross-Site Scripting (XSS)
AI-generated frontend code frequently contains XSS vectors, especially in chat features and comment systems that render user input
Why Vibe Coding Causes This
AI models render user content without sanitization. When you build a chat feature or comment system, the model may use unsafe HTML rendering methods without proper escaping. User-submitted HTML, JavaScript, or Markdown becomes an attack vector.
How to Fix It
Never render raw user input as HTML. Use framework-native escaping (React auto-escapes JSX by default). When you must render HTML, use a sanitizer like DOMPurify. Validate and sanitize all user input on the server side.
Insecure Dependencies
Many vibe-coded projects pull in large dependency trees, often including outdated or abandoned packages with known vulnerabilities
Why Vibe Coding Causes This
AI models suggest packages based on training data, which may reference outdated or abandoned libraries with known CVEs. Vibe coders rarely audit their dependency tree because they did not choose the packages themselves.
How to Fix It
Run npm audit or yarn audit after every AI-generated dependency addition. Use Snyk or Dependabot for continuous monitoring. Prefer well-maintained packages with recent updates and active communities.
Get the Vibe Coding Cheat Sheet
Best tool for every use case + pricing + pro tips. One page, zero fluff. Plus weekly updates on new tools.
Missing Rate Limiting
Most vibe-coded APIs ship without any rate limiting, since AI models rarely add abuse protection unless explicitly asked
Why Vibe Coding Causes This
Rate limiting is never part of the "build me a todo app" prompt. AI generates functional endpoints without any abuse protection. A single user can hammer your API, drain your database, or run up your serverless bill.
How to Fix It
Add rate limiting to all public API routes. Use libraries like express-rate-limit, Upstash Ratelimit, or Vercel Edge middleware. Set sensible limits: 100 requests per minute for general endpoints, 5 per minute for auth endpoints.
Overly Permissive CORS
AI-generated backends frequently default to Access-Control-Allow-Origin: * when fixing CORS errors
Why Vibe Coding Causes This
When the AI hits a CORS error during development, it often fixes it by allowing all origins. This is fine for local dev but disastrous in production — any website can make authenticated requests to your API.
How to Fix It
Set CORS to allow only your production domain(s). Never use wildcard (*) with credentials. Configure CORS once in your middleware, not per-route.
No Input Validation
Most AI-generated API handlers accept any input shape without validation
Why Vibe Coding Causes This
AI-generated code trusts the client. When you ask for a form handler, the model writes code that processes whatever the client sends without checking types, lengths, or formats. Malformed input crashes your server or corrupts your database.
How to Fix It
Validate all input on the server with Zod, Joi, or yup. Never trust client-side validation alone. Check string lengths, number ranges, required fields, and data types for every API endpoint.
Verbose Error Messages in Production
Many vibe-coded apps expose stack traces and internal errors to end users
Why Vibe Coding Causes This
AI models generate detailed error messages for debugging convenience. These error messages expose file paths, database schemas, and internal logic to anyone who triggers an error.
How to Fix It
Use generic error messages in production. Log detailed errors server-side (use a service like Sentry, LogRocket, or Axiom). Return only error codes and safe messages to the client. Set NODE_ENV=production in your deployment.
Missing HTTPS and Security Headers
Many vibe-coded deployments ship without basic security headers configured
Why Vibe Coding Causes This
Deployment is often an afterthought in vibe coding. The AI builds the app, you deploy it, and nobody configures security headers. Missing headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security leave your app vulnerable.
How to Fix It
Deploy behind HTTPS (Vercel, Netlify, and Cloudflare do this automatically). Add security headers in your middleware or server config. Use SecurityHeaders.com to scan your deployed site. Set Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security at minimum.
Worried about shipping insecure code? We harden vibe-coded apps.
Pre-launch security audit + fixes: $999. Full secure rebuild from your existing AI-generated codebase: from $2,499. 24h turnaround on the audit.
Pre-Deployment Security Checklist
Run through this checklist before every deployment. Print it, bookmark it, or paste it into your project's README. Every item maps to one of the 10 risks above.
Tools That Catch These Issues
You do not need to catch every vulnerability manually. These tools automate the most important checks:
npm audit / yarn audit — Built-in dependency vulnerability scanning. Run after every install.
Snyk — Continuous dependency monitoring with auto-fix PRs. Free tier available.
trufflehog / git-secrets — Scans git history for exposed secrets, API keys, and tokens.
Sentry — Error tracking that captures production errors without exposing them to users.
SecurityHeaders.com — Free scanner that grades your site on security header configuration.
OWASP ZAP — Free open-source security scanner. Runs automated penetration tests against your app.
Explore the tools themselves
Compare 17 vibe coding tools, including security features and deployment options.