Engineering

The vibe-coding security checklist we run on every rescue

Qorinx Engineering · 6 min read · Updated 2026
The vibe-coding security checklist we run on every rescue

AI-assisted coding has changed who ships software. Founders who couldn't write a line of code a year ago now have working products with paying users - and we think that's genuinely great. What hasn't changed is what production demands. When one of these codebases lands on our desk for review, we run the same security checklist every time, because the same problems show up every time.

The first hour: keys, rules, auth

Three findings account for most of the risk we see, and we look for them before anything else:

  • Exposed API keys - secrets committed to the repo, shipped in the frontend bundle, or pasted into client-side code where anyone with DevTools can read them. If a key has ever touched the client, we rotate it. No exceptions.
  • Open database rules - Firebase and Supabase make it easy to start with permissive rules and forget them. We've found production databases where any authenticated user - sometimes any user at all - could read every table.
  • Missing auth on the API layer - the UI hides the admin button, but the endpoint behind it answers to anyone who knows the URL. Authorization has to live on the server, not in what the interface chooses to show.

The second pass: the quieter failures

Once the loud problems are closed, we go looking for the quiet ones. Input that flows into queries without validation. Password resets that leak whether an email exists. Rate limits that don't exist, so one script can brute-force logins or drain a metered AI endpoint overnight. File uploads that accept anything and serve it back from the same domain. None of these will page you today - all of them are how incidents start.

Git history is part of the attack surface

A rotated key is only half-fixed if the old one still lives in commit history, and a "deleted" .env file is still there for anyone who clones the repo. We scan history as well as the working tree, and we treat anything that was ever committed as compromised.

What to do with this list

If you've vibe-coded a product that people now depend on, run this checklist yourself - most of it takes an afternoon and requires no security background, just honesty. And if you'd rather have senior engineers do it properly, that's exactly what our code review service is for: a fixed-price audit, a prioritized findings report, and the critical holes closed before someone else finds them.

Want AI in your product - for real?

Bring the use case. We'll tell you if AI is the right tool and what it costs to ship it, in writing.

Explore AI integration →