Vibe Coding Security Checker

• No API keys hardcoded in frontend/client-side code

• .env.local (or .env) is in .gitignore

• No secrets in Git history (rotated if they were ever committed)

• Only NEXT_PUBLIC_ prefixed vars are exposed to the browser (Next.js)

• Service role key / admin key is server-side only

• Row-Level Security (RLS) enabled on ALL tables (Supabase)

• Per-user RLS policies tested (User A can't see User B's data)

• Client-side code uses anon key only (not service role key)

• Authentication middleware on ALL protected pages/routes

• API routes verify user session before returning data

• Authorization checks: users can only access their OWN resources

• Server-side validation on EVERY API endpoint (not just client-side)

• HTML in user content is sanitized (XSS prevention)

• Rate limiting on authentication endpoints (login, signup, reset)

• HTTPS enabled (SSL certificate active)