At Inithouse — a studio shipping a growing portfolio of products in parallel — we audit vibecoded projects across security, performance, SEO, accessibility, and code quality. After reviewing dozens of AI-generated codebases, one pattern stands out: security is consistently the weakest area.
AI code generators produce functional code fast. But "functional" and "secure" are different conversations. Across our portfolio, we found that most vibecoded apps share the same four security gaps — and they're all fixable with specific, low-effort changes.
Mistake 1: No input validation by default
When you prompt an AI to "build a contact form" or "add a search feature," the generated code handles the happy path. What it rarely adds on its own: input sanitization, length limits, type checking, or protection against injection attacks.
We measured this across projects we audited at Audit Vibe Coding — over 70% of vibecoded forms had zero server-side validation beyond what the browser's required attribute provides.
The fix: Explicitly prompt for validation on every user input field. Don't assume the AI will add it. A prompt like "add input validation with XSS protection, SQL injection prevention, and length limits" produces dramatically different output than "add a form."
Mistake 2: Auth flows with token leaks
AI-generated authentication implementations often look correct on the surface. Tokens get created, sessions work, users can log in. But when we dig into the implementation, we repeatedly find: tokens stored in localStorage instead of httpOnly cookies, refresh tokens sent in URL parameters, or JWT secrets hardcoded in client-visible config files.
When we built Voice Tables — an AI workspace with voice-to-structured-data — the initial vibecoded auth flow had exactly this problem. The fix took an afternoon; finding it without an audit would have taken much longer.
The fix: Review auth implementation line by line. Test with the OWASP Authentication Cheat Sheet as your checklist. Pay extra attention to where tokens are stored and how they're transmitted — these are the spots AI gets wrong most often.
Mistake 3: Missing CORS configuration
This one is subtle because everything works fine during development. The AI generates an API, you test it locally, it responds correctly. Then you deploy and either everything is wide open (wildcard * origin) or you hit CORS errors and the quick fix is... making it wide open.
We observed this pattern repeatedly — zero intentional CORS configuration in the generated code, leading to either overly permissive defaults or hasty patches that bypass the security model entirely.
The fix: Set strict CORS policies from day one. Whitelist your specific domains. Never use Access-Control-Allow-Origin: * in production. If your vibecoding tool generates a backend, check the CORS config before the first deploy.
Mistake 4: Environment variables committed to git
AI assistants are helpful at setting up project structure, but they don't always respect the boundary between code and secrets. We've found API keys in .env files that were committed to version control, database URLs in frontend config, and Supabase service role keys in client-side code.
One of our products, Audit Vibe Coding, runs 47 checks across security, SEO, performance, accessibility, and code quality — and leaked secrets are among the most common critical findings.
The fix: Set up .gitignore from day one. Use a secrets manager for production. Run a tool like truffleHog or git-secrets on your repo before going live. This takes minutes and prevents the kind of breach that can't be undone.
The pattern underneath
These aren't edge cases. Across our experiments at Inithouse — a lab building many products at once — we found that the root cause is always the same: AI optimizes for making things work, not for making things safe. Security is a constraint that needs to be explicitly stated in every prompt.
The good news: once you know the four spots to check, fixing them is straightforward. Vibecoding doesn't have to mean insecure code — it just means security needs to be part of your prompt workflow, not an afterthought.
If you're shipping a vibecoded project and want a structured check, Audit Vibe Coding runs a full audit with a prioritized report. 47 checks, report in 24 hours.
Top comments (0)