AIVibeCoding
SecurityPlaybook

Session Lifetime. Set session expiration limits. JWT sessions should never exceed 7 days and must use refresh token rotation.

Never use AI-built auth. Use Clerk, Supabase, or Auth0.

Due to chat access, keep API keys strictly secured. Use process.env keys.

Rotate secrets every 90 days minimum.

Have the AI verify all suggested packages for security before installing.

Always opt for newer, more secure package versions.

Run npm audit fix after every build.

Sanitize all inputs using parameterized queries always.

Enable Row-Level Security in your DB from day one.

Remove all console.log statements before deploying production domain.

Use CORS to restrict access to your allow-listed production domain.

Validate all redirect URLs against an allow-list.

Add auth and rate limiting to every endpoint.

Cap AI API costs within your code and dashboard.

Add DDoS protection via Cloudflare or Vercel edge config.

Lock down storage access so users can only use their own files.

Validate upload limits by signature, not by extension.

Verify webhook signatures before processing payment data.

Review permissions server-side—UI-level checks are not security.

Log critical actions: deletions, role changes, payments, exports.

Build real account deletion flows. Large fines are not fun.

Automate backups then actually test them. An untested backup is useless.

Keep test and production environments fully separate.

Never let webhooks touch real systems in the test environment.