Building an app by describing what you want and having an AI assistant generate the code — often called "vibe coding" — has made it dramatically faster to go from idea to a working prototype. It hasn't changed what makes an application secure. The gap between "the code runs and does what I asked" and "the code is safe to expose to real users" is exactly the same gap it's always been; it's just less visible when you didn't type every line yourself.
The code is optimized for working, not for being attacked
Ask an AI assistant for a file upload endpoint, and you'll almost always get something that accepts a file and saves it — because that satisfies the request. Whether it validates file type, caps file size, checks the filename for path traversal characters like ../, or stores uploads outside the web root, depends entirely on whether you asked for those things specifically. The generated code is a correct answer to the prompt, not a complete answer to "is this safe to put on the internet."
Patterns worth checking specifically
A few things show up disproportionately often in AI-generated code that hasn't had a security pass:
- Hardcoded secrets — API keys or database credentials written directly into example code, because that's the fastest way to produce something that runs in a demo.
- Missing authorization checks — an endpoint that checks a user is logged in, but not that they own the specific resource they're requesting.
- Permissive CORS and debug settings — wildcards and
DEBUG=True-style flags that are reasonable defaults for getting something running locally, and dangerous defaults for something deployed. - Unvalidated input passed straight into a query, a command, or a template — the same injection and XSS patterns covered elsewhere on this blog, just generated at higher volume and higher speed than a human typing line by line.
This isn't a reason to avoid AI-assisted development
The speed is real and worth using. The point isn't that AI-generated code is worse than human-written code — plenty of human-written code has the exact same gaps. It's that the volume of code shipped per hour goes up significantly, and a security review step that used to happen implicitly (a developer spending an hour writing the endpoint and thinking about edge cases along the way) needs to happen explicitly instead, because it's no longer built into the time it took to produce the code.
What a quick pass should look for
Before shipping anything generated quickly — by AI or otherwise — it's worth scanning specifically for hardcoded credentials, missing input validation on anything user-facing, authorization checks on every endpoint that touches another user's data, and default configuration flags that were meant for local development. That's a fast, mechanical check, which is exactly the kind of thing worth automating rather than relying on remembering to do it manually on every new file.