Matthew Boston

Vibe-Coded Apps Need Real Security

January 18, 2026

The Problem I Found

The app was a vibe-coded Google Calendar tool called big-year that was picking up traction fast. I was genuinely excited about it — the concept was great. But I’ve seen enough rushed projects to know that security is usually the first thing sacrificed for speed.

I pointed my Claude Code security audit command and security agent at the repo, and in minutes they found a critical issue: the author had committed Google auth tokens for three of their own accounts, and anyone using the web version could have had their own data exposed.

The bad news is open source made those tokens copy-paste ready. The good news is open source also let me find the problem fast, open a PR, and DM the author before things got worse.

Why Vibe Coding Creates Security Gaps

Vibe coding — using AI to rapidly generate applications through natural language prompts — optimizes for speed and functionality. Security is rarely part of the vibe. When you’re iterating quickly, asking an AI to build features as fast as possible, the generated code tends to take the shortest path. That shortest path often means hardcoded credentials, missing input validation, and overly permissive configurations.

The developer in the flow state of vibe coding isn’t thinking about secrets management or OWASP top 10. They’re thinking about getting the feature to work. And the AI, optimizing for the prompt it was given, happily generates working but insecure code.

What We Can Do About It

The solution isn’t to stop vibe coding. It’s to add security guardrails that work at the same speed:

  • Pre-commit hooks that scan for secrets before they ever hit the repo. Tools like git-secrets or gitleaks catch credentials before they become public.
  • AI security scans that can audit a codebase in minutes. If it took me minutes to find the issue with Claude Code, it should be part of every vibe coder’s workflow.
  • Template security. If frameworks and starter templates ship with secure defaults — environment variables for secrets, CORS configured, input sanitization in place — then the vibe-coded app starts from a safer baseline.

The Responsibility Gap

When anyone can build an app in an afternoon, we need to make sure security knowledge isn’t a prerequisite for shipping. It needs to be baked into the tools. The alternative is an explosion of deployed apps with the same classes of vulnerabilities we’ve been fighting for decades, just generated faster.

Security at the speed of vibes — that’s the real challenge.

This article was originally posted on LinkedIn.