How long does a scan take?

A passive scan runs in a few minutes and covers most of this checklist. Active testing takes a little longer and confirms exploitable bugs once you verify you own the site.

I am not technical. Can I still act on the results?

Yes. Every finding is written in plain language with step-by-step fixes you can paste into your AI tool or apply yourself.

Security Checklist Before You Launch a Vibe-Coded App | VibeSec

Shipping soon? Run through this list first. It covers the issues AI coding tools most often leave behind, in the order they matter.

Secrets and API keys

•No secret keys in your front-end code or NEXT_PUBLIC_ variables.
•All secrets in server-side environment variables.
•Env files added to your ignore rules so they never deploy.

Database access

•Row Level Security on for every table (Supabase) or equivalent rules elsewhere.
•Admin or service keys kept server-side only.
•Users can only read and write their own data, tested with a real account.

AI endpoints

•Every AI endpoint requires authentication.
•Rate limiting in place per user and per IP.
•A usage cap or budget alert set with your provider.

HTTPS and headers

•Your site forces HTTPS and redirects http to https.
•A Content Security Policy header is set.
•Basic headers present: HSTS, X-Content-Type-Options, X-Frame-Options.

Exposed files

•No .env served publicly.
•No .git folder reachable from the web.
•No database dumps, backups, or debug endpoints left in the public directory.
•Source maps not shipped to production, unless you mean to.

Dependencies and email

•Framework and libraries updated, no versions with known CVEs.
•SPF, DKIM, and DMARC records set so your domain cannot be spoofed.

The fastest way to run this list

You can check every item above by hand, or run one scan that covers all of them and hands you a plain-language report with copy-paste fixes. Either way, do it before you launch, not after.

Security Checklist Before You Launch a Vibe-Coded App