· 7 min read

AI Won't Secure Your Website: Here's What You Need to Check Before You Deploy

A vibe-coded website was hacked in 3 minutes. Here's the production-ready security checklist every vibe coder needs before deploying an AI-built site.

vibe codingweb securityAIchecklist

A vibe-coded website was hacked in 3 minutes.

Not 3 hours. Not 3 days. Three minutes.

The site was called Moltbook, a social network built entirely with AI. The founder didn’t write a single line of code. He vibe-coded the whole platform, and it worked perfectly. It went viral. Elon Musk praised it. And then security researchers found the database wide open.

1.5 million authentication tokens. 35,000 email addresses. Private messages. All exposed. Anyone could read, write, or delete data without logging in.

The founder vibe-coded the entire platform, but never asked the AI to handle security.

The Problem With Vibe Coding (That Nobody Talks About)

AI tools like Claude, Cursor, Lovable, and Replit can build you a working website in minutes. They’re incredible at making things that work. But they optimize for one thing: does it work?

They don’t optimize for: is it secure?

That means your AI-generated website might look great and function perfectly while being wide open to attacks. API keys sitting in your frontend code, no input validation on forms, no HTTPS, unprotected admin pages, sensitive data stored in plain text.

These aren’t edge cases. They’re the default when you don’t specifically ask the AI to handle security.

If you don’t ask for security, you won’t get it. AI builds what you describe. Security has to be part of that description.

The Production-Ready Security Checklist

Before you read through all 10 checks, I turned this into a free downloadable PDF with every check, fix, and copy-paste prompt in one place. Get the free AI-Ready Security Checklist here →. Run this checklist every time you deploy. Not just the first time. Security isn’t a one-time task. It’s a habit.

Come back and read the full breakdown below.

Here are the 10 things you need to check before you deploy any AI-built website. For each one, I’ve included why it matters, how to fix it, and a prompt you can copy-paste directly into your AI tool.

1. HTTPS is Enabled

Without HTTPS, all data between your users and your site is sent in plain text. Anyone on the same network can read passwords, form submissions, and personal data.

Most hosting platforms like Vercel, Netlify, and Railway enable HTTPS by default. If yours doesn’t, use Let’s Encrypt for a free SSL certificate. Never launch without it.

Prompt to use: “Enable HTTPS with SSL across the entire site. Redirect all HTTP requests to HTTPS. Set secure flags on all cookies.”

2. API Keys and Secrets Are Stored in .env

AI tools often hardcode API keys, database passwords, and secret tokens directly into your code. If you push this to GitHub, anyone can find and use them. This is exactly what happened with Moltbook: their Supabase API key was sitting in the frontend JavaScript, visible to anyone who inspected the page source.

Move all secrets to a .env file. Reference them using process.env.YOUR_KEY in your code. Never commit the .env file to version control.

Prompt to use: “Store all API keys, database credentials, and secret tokens in environment variables. Never hardcode secrets in the source code. Use a .env file and reference them with process.env.”

3. .env is in .gitignore

Even if you use a .env file, if it’s not in .gitignore it will get pushed to your repository. Bots actively scan GitHub for exposed secrets; they find them within minutes.

Add .env to your .gitignore file before your first commit. If you’ve already pushed it, rotate all your keys immediately. They’re compromised.

Prompt to use: “Add .env to .gitignore. Make sure no sensitive files are tracked by version control. Show me what the .gitignore file should include.”

4. Admin Pages Are Protected

AI-generated admin dashboards often have no authentication. Anyone who guesses the URL (like /admin or /dashboard) can access everything.

Add proper authentication to every admin route. Use role-based access control so only authorized users can access admin functionality.

Prompt to use: “Add authentication to all admin routes. Only users with an admin role should access /admin or /dashboard. Redirect unauthorized users to the login page.”

5. Users Can Only See Their Own Data

AI often builds database queries that don’t filter by user. This means User A can see User B’s data just by changing an ID in the URL. Moltbook had this exact problem: their database had no Row Level Security, meaning anyone could access all data.

Add user-level filtering to every database query. Always verify the logged-in user owns the data they’re requesting before returning it.

Prompt to use: “Add user-level data filtering to every database query. Ensure each user can only read, update, or delete their own records. Verify ownership before returning any data.”

6. Form Inputs Are Validated and Sanitized

AI-generated forms rarely check what users type in. This is how SQL injection and cross-site scripting (XSS) attacks happen: attackers enter malicious code into your form fields.

Validate all inputs on both the client side and the server side. Sanitize inputs to strip out any HTML or SQL characters. Use parameterized queries for database operations.

Prompt to use: “Validate and sanitize all form inputs on both client and server side. Prevent SQL injection and XSS attacks. Use parameterized queries for all database operations.”

7. Forms Are Protected From Spam

Without spam protection, bots will flood your contact forms, signup forms, and comment sections with junk submissions. This clutters your database and wastes your time.

Add reCAPTCHA, hCaptcha, or a honeypot field to every public-facing form. Rate limit form submissions so the same IP can’t submit hundreds of times per minute.

Prompt to use: “Add spam protection to all public-facing forms. Implement reCAPTCHA or a honeypot field. Rate limit form submissions per IP address.”

8. Sensitive Data Is Stored Securely

AI tools often store passwords in plain text, save sensitive data in localStorage, or skip encryption entirely. If your database is breached, everything is exposed.

Hash all passwords with bcrypt or argon2. Never store sensitive data in localStorage or cookies without encryption. Use your database’s built-in encryption features.

Prompt to use: “Hash all passwords using bcrypt before storing them. Never store sensitive data in localStorage or plain text cookies. Encrypt sensitive database fields.”

9. API Routes Require Authentication

AI often creates API endpoints without any authentication checks. Anyone who discovers your API URLs can read, modify, or delete data without logging in. Moltbook’s API had zero authentication, and researchers could query the entire database without any credentials.

Add authentication middleware to every API route that handles sensitive data. Verify the user’s session or JWT token before processing any request.

Prompt to use: “Add authentication middleware to all API routes that handle user data. Verify the user’s session or JWT token before processing any request. Return 401 for unauthenticated requests.”

10. Rate Limiting Is Enabled

Without rate limiting, attackers can brute force login pages, overwhelm your server with requests, or abuse your API endpoints at scale. Moltbook had no rate limiting, and a single bot created 500,000 fake accounts because nothing stopped it.

Implement rate limiting on login endpoints, API routes, and form submissions. Tools like express-rate-limit (Node.js) or django-ratelimit (Python) make this straightforward.

Prompt to use: “Add rate limiting to all login endpoints, API routes, and form submissions. Limit requests per IP to prevent brute force attacks and API abuse.”

The Best Fix Is Prevention

Instead of fixing security after you build, prompt it in from the start. Add these to your AI prompts before you start building:

  • “Store all API keys in environment variables, not in the code.”
  • “Add authentication to all admin routes and API endpoints.”
  • “Validate and sanitize all form inputs on the server side.”
  • “Hash passwords using bcrypt before storing them.”
  • “Enable HTTPS and set secure cookie flags.”
  • “Add rate limiting to login and API routes.”
  • “Ensure users can only access their own data.”
  • “Add CSRF protection to all forms.”

Vibe coding builds it. You secure it.

back to blog