AI-coded app security jumps to 84/100 with vercel.json

A Markdown-to-PDF app built via AI-assisted development scored 50/100 on security due to missing HTTP security headers, such as Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Permissions-Policy [dev.to]. The app uses Marked.js, Highlight.js, and KaTeX for rendering, with a client-side "AI Bracket Fixer" regex pipeline to normalize LLM-generated math delimiters before rendering [dev.to]. It runs entirely client-side with no backend, database, or user authentication. Adding a root vercel.json file enforcing these headers raised the app's security score to 84/100 with perfect marks on HTTP headers [dev.to].

The fix required zero changes to client-side code, highlighting that AI coding tools don't secure the network perimeter and default serverless deployments are not production-secure [dev.to]. Automated scanners can also generate noise on irrelevant risks, such as missing database protections and credential hashing, despite the app having no backend [dev.to]. Engineers must triage findings against actual architecture, not compliance checklists.