Vibe-coded app security

Authorize every object access on the server, not only in the UI.

Use database row-level security or equivalent tenant isolation for multi-user data.

Keep API keys server-side and rotate any secret that reaches client code or logs.

Use established auth libraries and verify session checks on every protected route.

Validate input at boundaries and use parameterized database calls.

Review package choices and licenses rather than accepting generated imports blindly.

If the generated build is commercial software, a connected device feature, or packaged software made available in the EU, check the Cyber Resilience Act in addition to ordinary web security duties.

Marketplaces, social products, hosting services, app stores, and user-content systems may trigger DSA duties alongside GDPR and ePrivacy.

Apps that expose connected-product data or data-processing switching features should be triaged against the EU Data Act as well as product-security rules.

Consumer connected hardware can trigger EU product-security rules, UK PSTI requirements, and product-liability exposure if software defects create damage.

Fintech, tax, lending, advisory, and account-servicing workflows should check FTC Safeguards and financial-sector cyber rules.

Software shipped in or as a product should be triaged for product-liability exposure, especially when updates or AI features can affect physical or financial outcomes.