Security Testing Checklist
AI-generated code is notoriously insecure. Hardcoded secrets, missing input validation, and broken authentication are present in the majority of vibecoded applications. This checklist covers the security tests every builder must perform before exposing their app to the internet.
Last updated: 2026-03-14
Authentication Security
Passwords are hashed and never stored in plain text
Verify that the database stores password hashes, not readable passwords. Check that the hashing algorithm is modern like bcrypt or Argon2.
Session tokens are secure and httpOnly
Inspect cookies and verify that session tokens have httpOnly, secure, and SameSite flags set appropriately.
Login rate limiting is in place
Attempt multiple failed logins rapidly and verify that the app throttles or blocks further attempts after a threshold.
Password reset flow is secure
Verify that reset tokens expire, are single-use, and do not reveal whether an email exists in the system.
Logout invalidates the session
Log out and verify that the session token is invalidated and cannot be reused by replaying requests.
Input Validation
All user input is sanitized server-side
Submit HTML, JavaScript, and SQL in every input field and verify the server rejects or sanitizes them.
File uploads validate type and size
Attempt to upload executable files, oversized files, and files with spoofed extensions to verify restrictions.
API endpoints validate request bodies
Send malformed JSON, missing fields, and incorrect types to API endpoints and verify they return proper error responses.
URL parameters are validated
Modify URL parameters to include SQL injection, path traversal, and other attack payloads to verify they are handled safely.
Data Protection
No secrets are exposed in frontend code
Search the JavaScript bundle and network requests for API keys, database credentials, and other secrets.
HTTPS is enforced across the entire application
Attempt to load every page over HTTP and verify automatic redirection to HTTPS.
Sensitive data is encrypted at rest and in transit
Verify that personal data, payment information, and other sensitive fields are encrypted in the database.
Error messages do not leak internal details
Trigger errors and verify responses do not include stack traces, database queries, or file paths.
CORS policy restricts allowed origins
Check that the CORS configuration only allows requests from your own domains, not wildcard origins.
Authorization
Users cannot access other users' data via URL manipulation
Change resource IDs in URLs and API calls to verify that the app checks ownership before returning data.
Admin endpoints are protected from regular users
Attempt to access admin-only routes and API endpoints as a regular user to verify they are blocked.
API rate limiting prevents abuse
Send a high volume of requests to API endpoints and verify that rate limiting kicks in before the server is overwhelmed.
Deleted resources are truly inaccessible
Delete a resource and then attempt to access it directly to verify it returns 404, not the deleted content.
Frequently Asked Questions
Is this checklist sufficient for full security compliance?
This checklist covers the most common and critical security issues in AI-generated apps. For applications handling sensitive data like healthcare or financial information, you should also engage a professional security auditor.
What are the biggest security risks in AI-generated code?
Hardcoded API keys and secrets, missing authentication on API endpoints, no input validation, and exposed debug information are the top four. AI tools consistently produce these vulnerabilities because they prioritize functionality over security.
Let human testers run through this checklist for you
Submit your app and our testers will find the bugs you missed. Starting at €15 per test.
Related checklists
Authentication Testing Checklist
Authentication testing checklist for AI-generated apps. Verify login, registration, password reset, OAuth, and session management work securely.
Read moreAPI Testing Checklist
API testing checklist covering endpoints, validation, error handling, and authentication. Ensure your AI-generated API is reliable and well-behaved.
Read morePayment Integration Testing Checklist
Payment integration testing checklist for AI-built apps. Verify Stripe, PayPal, and other payment flows work correctly before accepting real money.
Read more