Security playbook for vibe-coded apps
Based on 77+ CWE types from real-world vulnerability research. These are the exact issues AI coding agents miss — and Deva IDE catches.
Injection attacks
SQL injection
User input inserted into queries can run DROP DATABASE. Use parameterized queries. Never concatenate user input into SQL.
XSS & code injection
User-supplied strings executed as code (e.g., dangerouslySetInnerHTML). Use DOMPurify for sanitization or textContent for plain text.
Command & LDAP injection
Input passed to system calls or directory services. Validate and sanitize before any execution.
Path traversal
Unsanitized file paths allow access outside intended directories. Use path.basename() and validate against allowed directory.
Authentication & authorization
Auth bypass (missing checks)
AI removes one line (e.g., requireAdmin) and exposes admin endpoints. Enforce role checks at infra/middleware layer.
Row Level Security (RLS)
Users can only see their own data. Postgres enforces it at the database level. Without it, changing one URL parameter exposes everyone's data.
Orphaned endpoints
You remove a UI page but leave the API endpoint open. Clean up endpoints when removing features.
Session fixation & hijacking
Regenerate session IDs after login. Use HttpOnly and Secure flags. Set proper expiration and max_age.
Secrets & API keys
Hardcoded keys in source
GitHub bots scrape for AWS keys, Stripe tokens, DB passwords 24/7. Use Secret Manager. Keys live there, not in your repo.
Secrets in .env committed to git
Add .env to .gitignore. Use .env.example templates. One exposed OpenAI key led to $30k in stolen tokens.
Backend exposing secrets to frontend
Never propagate secrets to client-side code. API keys should only exist server-side.
CSRF & timing attacks
CSRF token missing
State-changing operations (POST/PUT/DELETE) need CSRF tokens. Attacker tricks user's browser into submitting forms.
Timing attacks for user enumeration
Login responses must take constant time whether user exists or not. Fast fail = attacker knows username is valid.
CRLF injection
Unsanitized input in HTTP headers allows header injection. Validate redirect URLs and strip \r\n characters.
Rate limiting & bot protection
Missing rate limits
10,000+ fake registrations in minutes without it. Database fills, email quota burns, $500+ AWS bills from one bot attack. Start strict: 100 req/hour per IP.
CAPTCHA
99% spam reduction. Use invisible mode—real users never see it. Put it on contact, registration, login, password reset.
Input validation & sanitization
Trust nothing from client
Validate on frontend. Validate again on backend. Forms, URL params, file uploads, headers. Most apps fail pentest injection tests.
Sanitize ALL inputs
Env vars, header fields, dependency returns, syscalls, query results. Everything is an attack vector.
HTTPS & encryption
HTTPS isn't optional
Every endpoint needs HTTPS. Redirect HTTP automatically. Session tokens, passwords, API keys in plain text get intercepted.
Weak cryptography
Use bcrypt/argon2 for passwords, not MD5/SHA1. Modern crypto libraries. Never roll your own.
Dependencies & supply chain
Outdated dependencies
npm audit finds vulnerabilities. Update regularly. Set up Dependabot/Renovate for automatic PRs.
Malicious packages
Typosquatting (e.g., 'reactt' instead of 'react'). Check package downloads, maintainers, repo links before installing.
Infrastructure & isolation
Minimal permissions (least privilege)
DB user doesn't need DROP TABLE. API keys get read-only when possible. Container shouldn't run as root.
Default deny inbound & outbound
Restrict outbound traffic too. HTTP/HTTPS can be used for data exfiltration. Lock down both directions.
Error handling & logging
Verbose error messages
Stack traces in production expose internal paths, DB schema, library versions. Log internally, show generic errors to users.
Missing audit logs
Log authentication attempts, permission changes, sensitive data access. You'll need this when investigating incidents.
Deva IDE scans for all of these issues across frontend, API, and backend — directly in your editor.
Download Deva IDE