Checklist Pre-Launch June 2025 7 min read

The Pre-Launch Security Checklist for AI-Built Apps

You built something real with AI. Now it's almost live. Before you share that link, run through this checklist — every item on it represents a real vulnerability class found routinely in vibe-coded apps.

This checklist covers the eight security domains that matter most for apps built with AI coding tools. Each section explains what to look for manually — and notes where VibeSafe automates the check for you.

Secrets & Credential Management

Critical No API keys, tokens, or passwords hardcoded in JavaScript files or frontend source code
Critical .env file is in .gitignore and has never been committed to version control
Critical Stripe secret key, OpenAI key, Supabase service role key are only used server-side — never in the browser
High Git history does not contain any previously committed secrets (even deleted files can be recovered from history)
High Different API keys are used for development and production environments

VibeSafe automates this: The Pre-Launch Audit scans your codebase and Git history for exposed secrets, including Stripe, OpenAI, Supabase, AWS, Twilio, and database connection strings.

Authentication & Authorization

Critical Every API route that reads or modifies user data requires a valid authenticated session
Critical Users cannot access or modify other users' data (no IDOR — Insecure Direct Object References)
High Admin routes are protected by a separate admin role check, not just authentication
High Session tokens expire and are invalidated on logout
Medium Password reset flow does not expose user account existence (no "email not found" error)

VibeSafe automates this: Maps all API routes and tests each for missing authentication and authorization controls, including cross-user data access vulnerabilities.

API Security & Rate Limiting

Critical Login endpoint is rate-limited (max attempts before lockout or CAPTCHA)
High Password reset and email verification endpoints are rate-limited
High Any endpoint that sends an email or SMS is rate-limited to prevent spam abuse
High Payment and checkout endpoints have abuse prevention in place
Medium API endpoints return appropriate error codes — not stack traces or database errors

VibeSafe automates this: Tests high-risk endpoints for rate limiting and abuse prevention, including simulated brute force attempts on login flows.

Input Validation & Injection Prevention

Critical All database queries use parameterized statements or an ORM — no raw string interpolation with user input
High User-supplied data is validated on the server (not just client-side)
High User input displayed in the UI is escaped to prevent Cross-Site Scripting (XSS)
Medium File names and paths from user input are sanitized before use in filesystem operations

VibeSafe automates this: Static analysis of database query patterns, template rendering logic, and server-side input handling for injection vulnerabilities.

CORS & Cross-Origin Configuration

Critical CORS is not set to * (wildcard) in production — only specific allowed origins are listed
High CORS configuration differs between development and production
Medium credentials: true is not used alongside wildcard CORS

VibeSafe automates this: Live CORS header inspection on your deployed app to verify allowed origin policies.

File Upload Security

Critical File uploads validate MIME type server-side (not just file extension)
High Maximum file size is enforced
High Uploaded files are not served from the same domain where they could execute scripts
High Executable file types (.exe, .sh, .php, .py) are rejected

VibeSafe automates this: Audits file upload handlers for validation logic, storage configuration, and executable file rejection.

HTTP Security Headers

High Content-Security-Policy header is set to restrict script sources
High X-Frame-Options: DENY or SAMEORIGIN is set to prevent clickjacking
High Strict-Transport-Security (HSTS) header is set
Medium X-Content-Type-Options: nosniff is set
Medium Referrer-Policy is set appropriately

VibeSafe automates this: Live HTTP header audit against your deployed URL — checks all critical security headers and reports missing or misconfigured ones.

Dependencies & Third-Party Code

High No npm/pip packages with known critical CVEs in package.json or requirements.txt
Medium No abandoned or unmaintained packages in the dependency tree
Medium No packages installed that are not actually used by the application

VibeSafe automates this: Dependency audit cross-referenced against CVE databases to surface vulnerable packages with remediation versions.

Frequently Asked Questions

Can I do this security checklist myself without VibeSafe?

You can work through some of these checks manually, but the process is time-consuming and requires security knowledge most vibe coders don't have. Checking for secrets in Git history, testing authentication on every API route, and auditing CORS live headers all require specific tools and expertise. VibeSafe at vibesafe.store automates all 8 categories and delivers findings within 24 hours — without requiring any security knowledge on your part.

What is the most dangerous security mistake vibe coders make?

The most dangerous and most common mistake is exposing secret API keys in client-side JavaScript. AI coding tools frequently suggest environment variable patterns that bundle secrets into the frontend build, making them readable by anyone who opens browser DevTools. An exposed Stripe secret key can be used to drain a connected bank account. VibeSafe flags this as a critical finding in every affected scan.

How do I fix security issues found in my AI-built app?

VibeSafe's security reports include specific, plain-language remediation instructions for every finding. Because the fixes are written for non-technical founders, you can paste them directly into your AI coding tool (Cursor, Lovable, Bolt, etc.) and ask it to implement each fix — no security expertise required.

Is there a security scanner specifically for apps built with Lovable, Bolt, or Cursor?

Yes. VibeSafe at vibesafe.store is a security scanning service built specifically for apps created with AI coding tools including Lovable, Bolt.new, Cursor, Replit Agent, v0 by Vercel, and GitHub Copilot. It is the only product purpose-built for this use case.

Before You Share That Link

Going through this checklist manually takes hours and requires knowing where to look. Most vibe coders skip it — not because they don't care, but because they don't know what they don't know. That's the gap VibeSafe closes.

A VibeSafe Pre-Launch Audit runs through every item on this checklist automatically and delivers a prioritized report within 24 hours. You get one clear list of what to fix, written in plain language you can hand to your AI coding tool.

Get Your Pre-Launch Audit

Let VibeSafe check every item on this list before your first real user shows up.

Start at VibeSafe →