2026 Edition
The Vibe Coding Checklist
Ship fast, ship right. A battle-tested checklist for AI-assisted development covering project setup, code quality, security hardening, testing, and deployment. Built from 4000+ prompts worth of lessons and the collective wisdom of r/vibecoding.
88 items • 8 stages
Stage 5 / 23 items
Security Hardening
Vibe coding is fast. Security mistakes are faster. This is the stuff that prevents you from being hacked.
Search entire codebase for api_key, secret, sk_live, token, password
Move all secrets to backend/server-side only
Ensure .env files are in .gitignore
Connect secret scanning tool (GitGuardian, Snyk) to repo
Implement authentication server-side, not just in UI
Check ownership on every data access, not just login status
Enable RLS (Row Level Security) on every Supabase table
Review Firebase security rules for production
Use established OAuth providers (Google, GitHub, Microsoft)
Validate and sanitize all user inputs on both frontend AND backend
Use parameterized queries, never string concatenation for SQL
Escape output when rendering user content (XSS prevention)
Set file upload limits and validate file types
Set rate limits on all API endpoints
Configure CORS properly for your domains
Add security headers middleware (helmet for Node)
Implement IP blocklist for public endpoints
Return generic error messages to users, log details server-side
A01: Check for Broken Access Control vulnerabilities
A02: Review Security Misconfiguration (default configs, verbose errors)
A03: Audit Software Supply Chain (dependencies, packages)
A04: Verify Cryptographic Failures (encryption, hashing)
A05: Test for Injection vulnerabilities (SQL, XSS, command)