SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/Vibe coding
AI Security

Vibe coding

Also known as: AI-assisted coding, AI-generated code, Lovable-style coding

Definition

Vibe coding is the practice of building applications primarily through AI code generation (Copilot, Cursor, Lovable, Bolt, v0) with minimal manual review. The pattern produces shippable prototypes quickly but introduces a documented class of security bugs, including service_role in client bundles, missing input validation, and IDOR.

What is vibe coding?

Vibe coding is a colloquial term for building software primarily by prompting an AI agent and accepting its output. The phrase emerged around 2024-2025 as tools like Cursor, Lovable, Bolt, and v0 made it possible to generate working apps from natural-language prompts. The "vibe" refers to the loose, prototype-first workflow.

What are the common vibe-coding security failures?

Five categories, documented across the 2025-2026 wave of breaches (Lovable, Vercel exposure, Bitwarden incident, Moltbook): service_role keys in client components, Server Actions that trust user IDs from form payloads (IDOR), missing Zod validation on inputs, unsigned or unverified webhook handlers, and tables with RLS disabled. Each is the AI's default-pattern bias: the easiest code that runs is also the least secure.

How do you secure a vibe-coded prototype?

Audit-first, then harden. The migration playbook walks four phases: audit the data access layer (find every Supabase client instantiation and verify which key it uses), audit Server Actions for user-ID-from-payload patterns, verify every webhook handler does signature verification, and enable RLS deny-all on every table before adding policies one at a time. Most vibe-coded apps need two to four days of audit work before production-ready.

Learn more

  • Vibe Coding Security: The Complete 2026 Guide
  • From Vibe-Coded Prototype to Secure SaaS

Related terms

  • IDORIDOR (Insecure Direct Object Reference) is a vulnerability class where an application uses a user-supplied identifier (such as a userId or recordId) to look up data without verifying the requester is authorized to access that specific object. IDOR is the most common Server Action bug in AI-generated Next.js code.
  • Service role keyThe service role key is the Supabase API key that bypasses Row Level Security and grants full database access. It must never enter the browser bundle. In a Next.js app, the service role key is used only in Server Actions and Route Handlers via createAdminClient, with the import gated by Next.js's server-only enforcement.
  • Backend-only data accessBackend-only data access is an architectural pattern where the database is never queried directly from the browser. All queries run through Server Actions or Route Handlers using the service_role key, after server-side authentication and Zod validation. The browser only receives data the server explicitly returns.
  • OWASP Top 10The OWASP Top 10 is the consensus list of the ten most critical web application security risks, updated by the Open Worldwide Application Security Project. The 2025 edition (current as of 2026) includes Broken Access Control as A01, Cryptographic Failures as A02, and a new A10 for Mishandling of Exceptional Conditions.
← Back to full glossary