vibe/secureGet an audit

// Pre-launch checklist

Before you ship that vibe-coded app.

Print this. Tape it next to your monitor. Don't deploy until every box has a checkmark — or until you've consciously accepted the risk of the ones that don't.

01

Authentication & Authorization

  • Roles live in a dedicated table, never on the user/profile row.
  • Every authorization check runs server-side, never in React/UI code.
  • Password reset tokens expire (≤1 hour) and are single-use.
  • Sessions can be revoked centrally.
  • MFA is available for admin accounts (and enforced where possible).
  • Sign-in flows are rate-limited and protected against credential stuffing.
02

Database & Data Access

  • Row-Level Security (RLS) is enabled on every table.
  • Every table has explicit allow policies — default is deny.
  • Policies use a SECURITY DEFINER function (e.g. has_role) to avoid recursion.
  • No table exposes other tenants' data via a foreign key join.
  • Service-role / admin DB keys never reach client code.
  • Backups are enabled, encrypted, and tested.
03

Secrets & Configuration

  • All API keys live in a secret manager — none committed to git.
  • Public/anon keys are the only keys shipped to the browser.
  • Secrets that ever leaked have been rotated (check git history).
  • A secret-scanning hook (gitleaks, trufflehog) runs pre-commit.
  • Environment-specific configs are separated (dev/staging/prod).
04

Input Validation & Output Encoding

  • Every server function / API route validates input with Zod or equivalent.
  • Length, type, format, and range are checked on every field.
  • Database queries use parameters / ORMs — no string concatenation.
  • User content rendered as HTML is escaped or sanitized (DOMPurify).
  • File uploads check MIME type, size, and are stored outside the web root.
05

APIs, Webhooks & Integrations

  • Webhook handlers verify signatures with HMAC (timing-safe).
  • Public endpoints are explicitly opted-in — defaults are authenticated.
  • Third-party integrations use least-privilege scopes.
  • CORS is restricted to known origins, not '*'.
  • Rate limits are enforced on every public endpoint.
06

Observability & Incident Response

  • Authentication events, admin actions, and data exports are logged.
  • Logs are queryable and retained for at least 90 days.
  • Alerts fire on impossible-travel logins and bulk data exports.
  • Error tracking (Sentry or similar) is wired up.
  • You have a written plan for what to do when (not if) a breach occurs.

Want a human to actually verify all of this?

That's literally what Cloud Security Partners does. Our engineers run this checklist (and a much longer one) against your codebase and give you a prioritized fix list.

Cloud Security Partners

Ship the vibe. Keep the perimeter.

Our engineers review AI-generated codebases the way attackers will — line by line, integration by integration. Then we hand you the fix list, ranked by what actually matters.

Book a vibe-code audit Visit cloudsecuritypartners.com