Meetanshi AI
Vibe Code Security ChecklistFree

Is Your AI-Built App Safe to Launch?

20 Yes/No questions across authentication, data security, APIs, and infrastructure. Get a security grade and know exactly what to fix before you ship.

0 of 20 answered0%

Authentication & Access

1.

Are passwords hashed using bcrypt, argon2, or similar? (Not MD5 or SHA1)

2.

Is there rate limiting on login/signup endpoints?

3.

Are JWT secrets stored in environment variables (not hardcoded)?

4.

Is session invalidation implemented on logout?

5.

Are admin routes protected from regular users?

Data & Secrets

6.

Are all API keys and secrets in environment variables?

7.

Is your .env file in .gitignore?

8.

Is sensitive data encrypted at rest in the database?

9.

Are SQL queries parameterized (no string concatenation)?

10.

Are file upload types and sizes validated server-side?

API & Endpoints

11.

Are all API endpoints that modify data protected by auth?

12.

Is HTTPS enforced (HTTP redirects to HTTPS)?

13.

Are CORS origins explicitly allowlisted (not wildcard *)?

14.

Is there input validation on all user-supplied data?

15.

Do error messages avoid exposing stack traces or internal paths?

Infrastructure

16.

Are dependencies up to date? (no known critical CVEs)

17.

Is there an error monitoring tool set up? (Sentry, Datadog, etc.)

18.

Is the database not publicly accessible from the internet?

19.

Are security headers set? (CSP, X-Frame-Options, etc.)

20.

Have you tested the app with a real user on a real device?

How to Security-Check Your AI-Generated Code

  1. 1Check authentication — review your login mechanisms (JWT expiry, OAuth scopes, session invalidation on logout), password hashing (bcrypt/Argon2, not MD5), and whether admin routes are protected behind role checks. AI tools often skip session expiry and role-based access control.
  2. 2Scan for exposed secrets — search your codebase for API keys, database connection strings, JWT secrets, and service passwords hardcoded in source files or committed to Git. Check .env files are in .gitignore and that no secrets appear in client-side JavaScript bundles.
  3. 3Review input validation — verify that all user-supplied data (form fields, URL parameters, API request bodies) is validated and sanitized before use. Check for SQL injection (use parameterized queries, not string concatenation), XSS vulnerabilities (HTML-escape output), and command injection risks.
  4. 4Check CORS and security headers — verify your CORS policy only allows trusted origins (not wildcard "*" in production), and that security headers are set: Content-Security-Policy, X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), and Strict-Transport-Security (HSTS).
  5. 5Review score and prioritize — see your security score broken down by category (Authentication, Secrets, Input Validation, Headers, Data Exposure). Critical issues (red) must be fixed before launch. High issues (orange) should be fixed within the first week. Use the checklist as a pre-launch gate.