Keep your AI-generated apps safe and secure
AI tools are amazing at generating code fast, but they don't always generate SECURE code. Every app you build needs security review before going live. This checklist will help you catch 95% of common vulnerabilities.
Run through this checklist before deploying ANY app. Check off each item as you verify it.
No API keys, database URLs, or passwords in your code. Use .env files and add .env to .gitignore.
Never put API keys in client-side JavaScript. Use server-side routes or serverless functions.
If users can log in, use a proven auth library (NextAuth, Clerk, Supabase Auth). Don't roll your own.
Use parameterized queries or an ORM. Never concatenate user input into SQL strings.
Sanitize user input before displaying it. React does this automatically, but be careful with dangerouslySetInnerHTML.
Don't use `*` for CORS in production. Specify exact allowed origins.
Prevent abuse by limiting requests per IP. Use libraries like express-rate-limit or Vercel's built-in protection.
No http:// in production. Use HTTPS for all API calls and redirects. Most hosts (Vercel, Netlify) do this automatically.
Validate all user input on the server side. Don't trust client-side validation alone.
Hash passwords with bcrypt. Never store plain text passwords. Salt each hash.
Use httpOnly cookies for session tokens. Set secure and sameSite flags.
Generic errors for users ("Something went wrong"), detailed logs server-side only.
If you allow uploads, validate file types, limit sizes, scan for malware.
Run `npm audit` to check for vulnerable packages. Update regularly.
Don't put passwords, tokens, or PII in query parameters. URLs get logged everywhere.
Add CSP headers to prevent inline scripts and external resource abuse.
Use least-privilege principle. App user shouldn't have DROP or DELETE permissions unless necessary.
Validate redirect URLs. Don't allow open redirects that phishers can exploit.
Log errors and events, but never log passwords, tokens, or credit card numbers.
Update dependencies monthly. Subscribe to security advisories for your stack.
AI tools often generate code with these security issues. Learn to spot them:
The Problem: AI might put API keys directly in frontend code where anyone can see them.
❌ BAD - Never do this:
const apiKey = "sk_live_abc123xyz";
fetch(`https://api.example.com?key=${apiKey}`);
✅ GOOD - Use environment variables:
// .env.local
NEXT_PUBLIC_API_KEY=sk_live_abc123xyz
// Your code
const apiKey = process.env.NEXT_PUBLIC_API_KEY;
Better: Don't expose keys at all. Make API calls from server-side routes.
The Problem: AI might create features that should be protected without adding auth checks.
❌ BAD - Anyone can delete anything:
app.delete('/api/posts/:id', async (req, res) => {
await db.posts.delete({ id: req.params.id });
});
✅ GOOD - Check user owns the post:
app.delete('/api/posts/:id', requireAuth, async (req, res) => {
const post = await db.posts.findOne({ id: req.params.id });
if (post.authorId !== req.user.id) return res.status(403).send();
await db.posts.delete({ id: req.params.id });
});
The Problem: Concatenating user input into SQL queries allows attackers to execute malicious code.
❌ BAD - User can inject SQL:
const query = `SELECT * FROM users WHERE username = '${username}'`;
✅ GOOD - Use parameterized queries:
const query = 'SELECT * FROM users WHERE username = ?';
db.query(query, [username]);
The Problem: Displaying user input without sanitization lets attackers inject malicious scripts.
❌ BAD - Dangerous in vanilla JS:
element.innerHTML = userComment;
✅ GOOD - React auto-escapes:
<div>{userComment}</div>
// Or sanitize with a library:
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userComment);
Use these tools to scan your apps for vulnerabilities:
FREE - Built into npm
Scans your dependencies for known vulnerabilities. Run `npm audit` in your project directory.
FREE - Open source
Web application security scanner. Finds XSS, SQL injection, and other common issues.
FREE for open source
Continuous security scanning for dependencies. Integrates with GitHub.
FREE - Web-based
Test your HTTPS configuration. Go to ssllabs.com/ssltest and enter your domain.
FREE - Web-based
Check your security headers (CSP, HSTS, etc.). Visit securityheaders.com
FREE - Desktop app
Intercept and analyze HTTP traffic. Great for testing APIs.
Do this before every deployment:
Run: `git status`. Make sure .env files are not staged. If they are, add to .gitignore immediately.
Search your codebase for: "api_key", "password", "secret", "token". Any matches should use environment variables.
Open an incognito window. Try to access protected pages/APIs. You should be redirected or get 401/403 errors.
In terminal: `npm audit`. Fix any HIGH or CRITICAL vulnerabilities with `npm audit fix`.
Visit your site with http:// (not https://). You should be automatically redirected to HTTPS.
Copy this audit into your deployment checklist. Better yet, automate it with a pre-deploy script. Security isn't a one-time thing — it's a practice.