Vibe Coding Is Fun. Here's the Security Bill Nobody Mentions.

AI coding tools make development much faster. You describe a feature, the AI generates code, and within minutes you have something working.

That's great for productivity, but it also makes it easy to miss security issues. When coding becomes faster, we often skip important security checks.

Here are 6 quick things I always check before using AI-generated code.

1. Don't Expose Secrets in the Frontend
2. AI tools sometimes put API keys or secrets directly into frontend code.

Remember:

• Anything in frontend code is public.
• In Next.js, variables starting with NEXT_PUBLIC_ are visible in the browser.
• Secret keys, database URLs, and service tokens should only exist on the server.

Quick check: Search your code for words like sk_, secret, or key=.

1. Frontend Validation Is Not Security A form may check emails, required fields, and formats in the browser.

• That's good for user experience, but attackers can bypass it.
• Always validate data on the server as well.

Rule: If you validate something on the frontend, validate it again on the backend.

1. Be Careful with dangerouslySetInnerHTML

AI often uses dangerouslySetInnerHTML to display HTML or markdown content.
If that content comes from users, it can lead to XSS attacks.

To stay safe:

• Sanitize content before rendering.
• Use libraries like DOMPurify.
• Avoid rendering raw HTML whenever possible.
• 4. Check New Dependencies

AI may install packages automatically when generating code.

Before using them:

• Verify the package is legitimate.
• Check download counts and maintenance status.
• Run npm audit to find known vulnerabilities.

Be careful of fake package names that look similar to popular packages.

1. Review Authentication and Permissions Carefully

Authentication is not just "Is the user logged in?"

You must also check:

• Can this user access this resource?
• Does this user have permission to perform this action?

For anything related to login, roles, permissions, or tokens, re

• view the code yourself.

1. Never Paste Real Secrets into AI Chats

Don't share:

• .env files
• Production API keys
• Access tokens
• Customer data
• Sensitive logs

Always remove or replace sensitive information before sharing code with AI tools.

A 1-Minute Security Checklist

Before accepting AI-generated code, ask:

1. Does it handle user input or external data?
   → Add validation and sanitization.

2. Does it run in the browser?
   → Assume everything is public.

3. Does it control access or permissions?
   → Review the code carefully yourself.

AI is great for writing code quickly.
But AI focuses on making code work, not making it secure.
So keep using AI, move fast, and build faster—but always