15 security questions for vibe coding with generative AI

A dev.to article published on June 16, 2026, enumerates fifteen security questions for developers who build or maintain web projects with heavy generative-AI assistance, a practice the author calls “vibe coding” [Dev.to]. The post argues that AI-generated code can introduce security flaws, with the 2025 OWASP AI Security Report finding that 32% of AI-written snippets contained exploitable vulnerabilities such as insecure token handling or hard-coded secrets [OWASP].

The checklist targets projects that handle authentication, payments, and user data, urging a blend of AI assistance and professional review. For example, it recommends scanning version-controlled files for exposed keys, JWT secrets, and Stripe webhook signatures. A recent GitHub scan found over 1,200 public repositories containing plaintext API keys after AI-assisted dependency additions.

The author also highlights that AI-generated front-end code may rely on client-side checks, assuming the server will enforce permissions. Real-world breaches, such as the 2024 “Shopify-Lite” incident, showed attackers bypassing UI-hidden admin routes by calling the API directly. Furthermore, AI assistants frequently add libraries without clear justification, increasing the attack surface. The 2025 NVD data shows that newly added npm packages have a 14% higher likelihood of containing a critical vulnerability in their first month.