Your AI-built app works. It looks good. But "works in development" and "safe for production" clear very different bars.

Here are the ten areas worth checking before you deploy. This isn't exhaustive — think of it as a starting point to understand where the gaps tend to be.

1. Secrets and API Keys

Are any API keys, database credentials, or service tokens visible in client-side code? AI tools frequently put sensitive values where anyone with DevTools can find them. This is the most common issue in vibe-coded apps.

2. Authentication

Does every protected endpoint verify identity on the server? Client-side auth checks are a UX convenience, not a security boundary. If the server isn't verifying tokens, the API is effectively open.

3. Authorization

Can a logged-in user access another user's data? Authentication tells you who someone is. Authorization determines what they can do. AI tools rarely implement the second part.

4. Row Level Security (Supabase)

If you're on Supabase, is RLS enabled and correctly configured on every table? This is the last line of defense at the database level — and AI tools routinely disable it, misconfigure it, or bypass it with the wrong key.

5. Input Validation

Is user input validated on the server? AI-generated code tends to trust all input by default. That opens the door to SQL injection, XSS, and other injection attacks.

6. Error Handling

Do error responses reveal internal details? Stack traces, column names, and file paths in error messages give anyone poking around more information than they should have.

7. CORS and Security Headers

Is the app configured to reject requests from unauthorized origins? Missing headers and wide-open CORS policies are invisible until someone exploits them.

8. Rate Limiting

Can someone hammer your endpoints with automated requests? Without rate limiting, auth endpoints and third-party API calls are vulnerable to abuse — and potentially expensive overruns.

9. Environment and Deployment

Is the production config locked down? Debug mode, source maps, default credentials, and exposed CI/CD secrets are all common in vibe-coded deployments.

10. Data Protection and Privacy

Is user data handled responsibly? Sensitive data in logs, missing backups, broken deletion flows, and undisclosed tracking all create exposure.

Going Deeper

Knowing what to check is the easier part. Knowing how to check it thoroughly — across different frameworks, tools, and deployment targets — is where the nuance lives. Each of these areas has tool-specific pitfalls that a surface-level pass will miss.

For a thorough review of your specific codebase, that's what the vibe code review service covers.

Want a Professional Review?

This checklist covers the essentials, but a professional vibe code review goes deeper — examining your specific architecture, dependencies, and deployment for issues a checklist can't catch. 48-hour turnaround, detailed report, walkthrough call included.

Learn More Book a Call ($75)