5 Security Mistakes Every Vibe Coder Makes

We've scanned thousands of repositories and the same issues keep appearing. Here are the top 5 security mistakes that AI-assisted development tends to create.

1. Exposed API Keys

The most common and most dangerous. AI assistants often: - Generate example code with placeholder keys that look real - Put sensitive configuration in client-side code - Forget to add .env to .gitignore

The fix: Always use environment variables. ProdReady scans for patterns like sk-, ghp_, AWS_, and other key formats.

2. Debug Routes Left Behind

That /api/test route or /debug page seemed harmless during development. In production, it's a security hole.

The fix: Search your codebase for "test", "debug", "temp", and "mock" before deploying.

3. Missing Input Validation

AI-generated forms often work perfectly — with valid input. But what happens with malicious input?

``typescript // AI-generated (vulnerable) const user = req.body.user; await db.query(SELECT * FROM users WHERE name = '${user}'`);

// Should be const user = sanitize(req.body.user); await db.query('SELECT * FROM users WHERE name = ?', [user]); ```

4. dangerouslySetInnerHTML Usage

React's escape hatch for raw HTML is appropriately named — it's dangerous. AI assistants use it liberally.

The fix: Replace with safer alternatives or properly sanitize content with DOMPurify.

5. target="_blank" Without rel="noopener"

A subtle security issue that allows opened pages to access your page's window.opener object.

The fix: Always add rel="noopener noreferrer" to external links.

Catch These Issues Automatically

Instead of manually checking for each of these issues, run a ProdReady scan on your repository. It takes seconds and catches all 50+ common issues.