Run through this before shipping any vibe-coded app. For each vulnerability, copy the AI prompt into your coding assistant (Cursor, Copilot, Claude, etc.) and work through the checkboxes.
Status:
Severity: 🚨 Critical Status: 🔴 Not Started
If the login check runs in browser JavaScript, any user can read the source and bypass it. Authentication logic belongs on the server. The client should receive only a session token after the server verifies credentials.
AI Prompt to Fix:
Analyze the entire codebase to detect any authentication or authorization logic implemented on the client side (e.g., in browser-executed JavaScript). Specifically identify patterns such as password comparisons, role/permission checks, token validation, or login decision logic occurring outside the server.
For each instance found:
* Provide the exact file path and line number
* Include the relevant code snippet
* Classify the type of vulnerability and its security impact
Then refactor the system to enforce server-side authentication exclusively:
* Move all credential validation, role checks, and authentication decisions to secure server-side endpoints
* Ensure the client only submits credentials and receives a verified session token (e.g., JWT or secure session cookie)
* Remove or replace all insecure client-side logic
Output:
* A list of identified vulnerabilities with locations and explanations
* Refactored code with clear separation of client and server responsibilities
* Secure implementation of authentication flow following best practices