Vibe Coding : Is your Web App Secure?

Security is critical for any web application, yet it's often overlooked or considered too complex to manage. I've put together a comprehensive Web App Security Checklist that aligns with industry-leading best practices to help vibe coders, developers and teams easily ensure their applications remain safe and resilient.

Whether you're working with advanced tools like Cursor/Windsurf or simpler tools like Lovable, you can seamlessly integrate this checklist into your documentation:

How to Add This Checklist to Your Project:

For Cursor/Windsurf:

1. Create a new markdown (.md) file named "web_app_security.md"
2. Paste the entire security checklist content into this file.
3. Place the file inside your project's /documentation folder.
4. Commit and push to your repo to ensure it's accessible to your team.

For Simpler Tools (e.g., Lovable): Simply copy and paste the entire security checklist directly into the chat window to easily share and track security implementation with your team.

? Proactively addressing security helps prevent costly incidents and builds trust with users.

I'd love to hear your thoughts or suggestions on any additional measures you take to protect your applications!

# Web App Security

1.  Authentication

A robust authentication mechanism is your first line of defence against unauthorised access. Relying on a well-supported, trusted authentication library (for instance, Clerk) can streamline the process of user login, registration, and session handling.

*   **Use a trusted auth library:** Libraries or platforms with active development, community support, and frequent security patches reduce the risks associated with custom, ad-hoc code.
*   **Enable multi-factor authentication (MFA):** MFA adds an extra layer of security by requiring users to provide additional evidence of identity (e.g., a one-time code on their phone).
*   **Handle password reset & session management:** Ensure secure password reset workflows (such as time-limited links or tokens) and strict session expiration policies to minimise the likelihood of unauthorised usage.
*   **Authenticate every API request:** Each request should include verifiable tokens or credentials to confirm the user’s identity and authority. This prevents malicious actors from bypassing the authentication layer.

2.  Middleware Protection

Middleware can act as a gatekeeper within your application, providing a central point for enforcing security policies and permissions.

*   **Add middleware to protect sensitive routes:** Use middleware layers to verify authentication status and user role before granting access to confidential features or data.
*   **Validate user identity and permissions:** Always confirm that the requesting entity is indeed allowed to perform the requested operation. This minimises the risk of privilege escalation attacks.

3.  Role-Based Access Control (RBAC)

RBAC ensures that users can only access functions and data relevant to their role (e.g., admin, user, guest). This principle limits the damage that can be done if an account is compromised or misused.

*   **Define user roles:** Assign roles based on business requirements—examples may include admins with full access, general users with limited privileges, and guests with minimal capabilities.
*   **Restrict access based on roles:** Use checks within your code or database queries to allow or deny access depending on the user’s assigned role. This helps enforce the principle of least privilege.

4.  Sensitive Data Handling

Safeguarding credentials, API keys, and other secrets is paramount to preventing malicious actors from exploiting them.

*   **Store secrets in .env files:** Keep sensitive information out of your public codebase by storing it in local environment variables rather than in source code.
*   **NEVER expose secrets to client-side code:** Client-side code is easily viewed in the browser, so secrets must stay on the server side only.
*   **Add .env to .gitignore:** Prevent accidental commits of sensitive data to version control by ignoring environment files and other confidential resources.

5.  Error Handling

Proper error handling helps maintain a good user experience without inadvertently revealing details that attackers could use.

*   **Show user-friendly and generic error messages:** Provide basic information such as “Something went wrong” or “Invalid credentials,” rather than revealing database or system details.
*   **Log detailed error messages only on the server:** Capture stack traces, query logs, and other diagnostic data in secure server logs, where they can assist debugging but remain hidden from users.

6.  Input Validation

User input is a common attack vector, making thorough validation and sanitisation essential.

*   **Sanitise and validate all user input:** Protect against malicious input by filtering out disallowed characters, applying length limits, and verifying data types.
*   **Prevent SQL injection, XSS, and other attacks:** Use parameterised queries, escaping mechanisms, and content-security policies to minimise the risk of injecting harmful code.

7.  Database Security

How data is stored, accessed, and queried is a cornerstone of any secure system.

*   **Use a trusted ORM or platform:** ORMs (Object-Relational Mappers) such as Prisma, Sequelize, or a secure platform like Supabase can abstract away many low-level security pitfalls.
*   **Enable Row-Level Security (RLS) where possible:** RLS allows fine-grained control over which rows can be accessed by which user, adding another layer of data protection.
*   **Avoid writing raw queries directly:** Parameterised queries and abstractions help prevent injection vulnerabilities and reduce the scope for human error.

8.  Hosting

Where you deploy your application can significantly impact security. Managed platforms often come with built-in safeguards.

*   **Host on secure, managed platforms:** Services like Vercel, AWS, or GCP frequently update their underlying infrastructure to address new threats.
*   **Ensure firewall, DDoS protection, and automatic updates:** A well-configured firewall, distributed denial-of-service (DDoS) defences, and regularly patched servers guard against the most common and disruptive attacks.        

Results of running the checklist

I recently ran the Web App Security Checklist with a client - a highly skilled developer - and they were alarmed by the results below, even when using a simple, user-friendly tool like Lovable, which already covers a lot of security under the hood.

If you're working with more advanced tools like Cursor or Windsurf, you might be in for a shock!

I'll perform a security check of your application using the guide as a starting point. Let's go through each point systematically:

1. Authentication
The application is using Supabase for authentication, which is a trusted platform:
? Using a trusted auth library: Supabase Auth is being used correctly with proper session management.
? Multi-factor authentication: Not currently implemented.
? Password reset: The Supabase Auth UI handles this, but requires proper configuration.
? API authentication: Supabase client is correctly set up with auth token management.

2. Middleware Protection
? Route protection: The dashboard routes check for authentication, but the implementation could be improved.
? User permissions validation: useDashboardAuth hook checks authentication but could be more robust.

3. Role-Based Access Control (RBAC)
? User roles: The system has an isAdmin flag in the profiles table.
? Access restriction: Some basic checks exist, but comprehensive RBAC is not fully implemented.

4. Sensitive Data Handling
? Secret storage: Secrets are stored in Supabase Edge Function environment variables.
? Client-side exposure: No sensitive data is exposed in client-side code.
? API key usage: API keys are handled via Edge Functions, but validation could be improved.

5. Error Handling
?? Error messages: Some error handling exists but inconsistent user-friendly messages.
?? Error logging: Error logging is basic and could be enhanced for better debugging.

6. Input Validation
?? User input validation: Some validation with zod, but not consistently applied across all forms.
? SQL injection protection: Using Supabase client which handles parameterization.
?? XSS protection: Limited protection against cross-site scripting attacks.

7. Database Security
? Using trusted platform: Supabase is a secure platform.
?? Row-Level Security: RLS is not fully implemented across all tables.
? Query abstraction: Using Supabase client which provides query abstraction.

8. Hosting
? Secure platform: Using a secure hosting platform.
? Firewall & DDoS: Dependent on hosting platform configuration.

Key Security Improvements Needed:
1. Implement comprehensive Row-Level Security (RLS) policies for all tables
2. Enhance error handling with more user-friendly messages
3. Improve input validation and sanitization
4. Add middleware protection for sensitive routes
5. Consider implementing multi-factor authentication

Would you like me to implement any of these specific security improvements?