Vibecoding Patterns

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

Showing or hiding UI elements based on user role in React, without any server-side enforcement — easily bypassed by anyone who opens DevTools.

API routes that perform sensitive operations — reading user data, modifying records, deleting resources — with no session or token verification.

Detailed error messages, stack traces, or internal paths sent to the client or logged publicly, giving attackers a map of your application internals.

npm packages or other dependencies with published security vulnerabilities (CVEs) that haven't been updated, leaving known attack vectors open in your app.

Passing user-controlled data to eval(), new Function(), or similar dynamic code execution functions, enabling arbitrary code execution on your server.

A .env file containing real credentials committed to git, making all secrets permanently accessible to anyone with repo access — including through git history.