Member-only story
Five things vibe coders should know (from a software engineer)
Tips to keep you and your users safe with actionable security improvements.
A few days ago I saw this tweet:
Followed by this one:
And it underlines a bit of a problem with vibe coding; people are unaware that the code they’re generating and the apps they’re deploying might be leaving them open to vulnerabilities.
That’s a problem not only they need to resolve fast, but the tools that facilitate their work, too.
Insecure code should not be generated, and if it is, the user should be warned about it prior to going live.
While some have been quick to point out that ‘vibe coders’ are bringing this upon themselves for not being real ‘devs’, personally I think it’s nice that so many people who have been unable to build products before (designers, product managers etc.) now have some of the tools to be in the driving seat.
So with that in mind, here are five key things that vibe coders should be aware of while developing their apps to keep themselves and their users safe.
1. Use an environment file for API keys
API keys are like your password, they should be kept secret and very secure.
When developing a production app, a software engineer should never include their API key in the code they push to GitHub or publish online, as it’d mean people can somewhat easily find it and use it themselves.
This means that they can effectively pretend to be you. They could rock up a huge bill in the third-party tools you’re using without you quickly realising. They could steal a list of…
