Vibe Coding Security Checker

🔑Environment Variables & Secrets

0/5

No API keys hardcoded in frontend/client-side codeCRITICAL.env.local (or .env) is in .gitignoreCRITICALNo secrets in Git history (rotated if they were ever committed)CRITICALOnly NEXT_PUBLIC_ prefixed vars are exposed to the browser (Next.js)CRITICALService role key / admin key is server-side onlyCRITICAL

🛡️Database Security

0/5

Row-Level Security (RLS) enabled on ALL tables (Supabase)CRITICALPer-user RLS policies tested (User A can't see User B's data)CRITICALClient-side code uses anon key only (not service role key)CRITICALDatabase connection string is server-side onlyNo raw SQL queries built from user input (use parameterized queries)

🔒Authentication & Authorization

0/6

Authentication middleware on ALL protected pages/routesCRITICALAPI routes verify user session before returning dataCRITICALAuthorization checks: users can only access their OWN resourcesCRITICALPassword requirements enforced (8+ characters minimum)Sessions expire after reasonable timeoutLogout actually invalidates the session (not just clearing cookie)

📝Input Validation

0/5

Server-side validation on EVERY API endpoint (not just client-side)CRITICALFile uploads limited by size and file typeHTML in user content is sanitized (XSS prevention)CRITICALValidation library used (Zod, Yup, or similar)Error messages don't leak internal details (stack traces, DB schema)

⚡Rate Limiting & Protection

0/4

Rate limiting on authentication endpoints (login, signup, reset)CRITICALRate limiting on public API endpointsCORS configured to allow only your domainsCSRF protection on state-changing requests

🚀Deployment & Headers

0/5

HTTPS enabled (SSL certificate active)CRITICALSecurity headers configured (X-Frame-Options, CSP, HSTS)Preview deployments are protected (not publicly accessible)npm audit run with no critical vulnerabilitiesCustom domain configured (not shipping on .vercel.app to clients)