Blog > Security best practices for Vibe Coding to keep in mind
Security best practices for Vibe Coding to keep in mind
Information technology Work
Now that vibe coding is simplifying software development and in some ways 'democratizing' it, it's well worth spending a few minutes to read up and learn about security aspects.
Caught up in the excitement of seeing everything work instantly, we are much more prone to overlook the safeguards that make our product more secure.
This list will also be useful for me when I want to review or take note of risky situations I encountered during development.
In this regard, I have decided to deepen my knowledge on the subject by studying directly from some books that deal with security; because if code becomes faster to write, then I will certainly have more time to dedicate to studying the theory and the necessary precautions. In short, I am going back to books, which I have always preferred.
This is NOT gonna cover everything, but its a good base to start with
1 - Be very careful with API keys provided by third-party services that you are going to use. If, for example, we are implementing a chat history summarization system via OpenAI APIs, then we must ensure that the keys are stored inside .env files that are not committed —pay attention, that are not committed— to public repositories. Furthermore, if the API key is inserted into the frontend code, as has happened very often during my experiments, it will be publicly visible to anyone. The API key must be used server-side and stored in a .env file that is publicly unreachable. If you can also restrict the use of that API key to a specific domain (as is allowed, for example, by Google Cloud Console for Maps JavaScript API keys or Firebase configuration keys), even better
2 - Guys, if you are not using an ORM (and I think you know what I am talking about), make sure that all database queries are correctly escaped and eventually validated! An instruction like
const query = 'SELECT * FROM users WHERE username = \'' + req.body.username + '\' AND password = \'' + req.body.password + '\'';
is deadly! 💀 If you are not sure, use always an ORM, like Prisma.
3 - As for all cases where a login must be performed, for example to an administrative area, make sure that passwords are encrypted in the database. Furthermore, if you can, implement a rate limiting system to restrict access rates against brute force attempts against ANY API. For example this is a good one for express: express-rate-limit. There are many other ways to block such a kind of brute attack, just remember and ask the AI eventually which one could best fit your case.
4 - When managing file uploads, you must implement strict controls to prevent users from executing malicious code on your server. It is essential to restrict uploads by file extension, mime type, and file size; indeed, if you leave the maximum size unrestricted, you run a serious risk of having your server space completely clogged and exhausted by massive files. Take fucking CARE! Additionally, remember that you can block the execution of files within a specific folder directly from the server side, but this must be explicitly configured at the server level. Don't forget to do this, as ensuring the upload directory is non-executable is a crucial step to completely neutralize any uploaded malware
5 - When implementing session management, remember that automated code flows might lack robust security controls, opening the door to session hijacking, session fixation, or replay attacks. A widespread and dangerous error is storing session tokens in insecure locations like browser local storage, which makes them highly vulnerable to theft via Cross-Site Scripting (XSS) attacks.
To manage sessions securely, always use HTTP-only cookies to prevent JavaScript access, and properly configure your flags with Secure, HttpOnly, and SameSite=strict to block unauthorized cross-site operations. Furthermore, ensure you regenerate session IDs immediately after a user authenticates to thwart session fixation, and always set strict session expiration times to minimize exposure if a token is compromised.
6 - Always ensure that your web application enforces HTTPS across all environments to encrypt data in transit. Without HTTPS, any data exchanged between the user and the server—including sensitive credentials, personal information, and session cookies—is transmitted in plain text, making it extremely vulnerable to interception and tampering via man-in-the-middle (MITM) attacks
7 - Last but not the least! Pick a good book and READ before coding, study the weakest aspects of this technology, always, focusing on security-related matters, and always check your code.
