AI Security · · 7 min read

Vibe Coding Prompts for Secure Development

vibe coding security prompts AI development secure coding

These 10 security prompts are designed for vibe coders who build with AI assistants like ChatGPT, Claude and Cursor. Copy each prompt, paste it into your AI tool with your code and check the response for red flags. No security background required. For the full prompt library, visit the Sherlock Forensics AI security prompts page.

You Built It with AI. Now Check It with AI.

Vibe coding is how most new software gets built in 2026. You describe what you want. The AI writes it. You iterate until it works. Ship it.

The problem is that "works" and "secure" are not the same thing. AI-generated code compiles, runs and passes basic tests while containing security vulnerabilities that are invisible unless you know to look for them.

These 10 prompts give you a quick security check you can run before you launch. Copy the prompt, paste it into the same AI tool you used to build your app and review the response. Each prompt includes what it checks, what a bad answer looks like and what to do if it finds something.

The 10 Prompts

1. Check for Hardcoded Secrets

Prompt: "Review this code for hardcoded API keys, passwords, tokens, database credentials and secret strings. List every instance with the file name and line number."

What it checks: Credentials that should be in environment variables but are pasted directly into source code.

Red flag: The AI finds strings that look like API keys or passwords. Any match is a problem.

What to do: Move every secret to environment variables. Never commit credentials to version control.

2. Check for SQL Injection

Prompt: "Find every database query in this code. For each one, tell me whether it uses parameterized queries or string concatenation. List any query that builds SQL strings from user input."

What it checks: SQL injection, the most exploited vulnerability in web applications.

Red flag: Any query that uses string concatenation, template literals or f-strings with user input.

What to do: Replace every concatenated query with parameterized queries or an ORM.

3. Check Authentication

Prompt: "Review the authentication system in this code. Does it have rate limiting on login? Does it expire sessions? Does it hash passwords with bcrypt, scrypt or argon2? List anything missing."

What it checks: Common authentication weaknesses that lead to account takeover.

Red flag: No rate limiting, passwords stored in plaintext or MD5, sessions that never expire.

What to do: Implement rate limiting, use bcrypt for password hashing and set session expiration.

4. Check for Missing Input Validation

Prompt: "List every endpoint or function that accepts user input. For each one, tell me what validation is applied. Flag any input that reaches a database query, file operation or shell command without validation."

What it checks: Input validation gaps that enable injection attacks.

Red flag: User input flowing directly to sensitive operations without sanitization.

What to do: Add input validation at every entry point. Whitelist expected formats.

5. Check File Upload Security

Prompt: "Does this application accept file uploads? If so, does it validate file types on the server side, limit file sizes, rename uploaded files and store them outside the web root?"

What it checks: File upload vulnerabilities that allow attackers to upload malicious scripts.

Red flag: Client-side-only validation, files stored in publicly accessible directories, original filenames preserved.

What to do: Validate file types server-side, rename files, store outside web root and scan for malware.

6. Check for Exposed Admin Routes

Prompt: "List every route or endpoint in this application. For each admin or internal route, tell me what authentication and authorization checks protect it. Flag any admin route that is accessible without authentication."

What it checks: Admin panels and internal tools exposed to unauthenticated users.

Red flag: Routes like /admin, /dashboard or /api/internal that have no auth middleware.

What to do: Add authentication and role-based authorization to every admin route.

7. Check Error Handling

Prompt: "Review how this application handles errors. Does it expose stack traces, database details, file paths or internal configuration to users? List any error response that leaks system information."

What it checks: Information disclosure through verbose error messages.

Red flag: Stack traces or database error messages visible in API responses or HTML pages.

What to do: Return generic error messages to users. Log detailed errors server-side only.

8. Check CORS Configuration

Prompt: "What is the CORS configuration for this application? Does it allow all origins? Does it reflect the request origin? Does it allow credentials with a wildcard origin?"

What it checks: Cross-origin resource sharing misconfigurations that allow unauthorized API access.

Red flag: Access-Control-Allow-Origin: * with credentials enabled, or reflecting any origin.

What to do: Whitelist specific allowed origins. Never use wildcards with credentials.

9. Check Dependencies

Prompt: "List every dependency in this project. For each one, verify it exists on the official package registry. Flag any package name that looks unusual, misspelled or has very few downloads."

What it checks: Hallucinated packages and dependency confusion attacks.

Red flag: Package names that do not exist on npm, PyPI or other registries. AI-hallucinated dependencies are a real supply chain risk.

What to do: Verify every dependency exists. Remove hallucinated packages. Pin versions.

10. Check for Insecure Randomness

Prompt: "Find every place this code generates random values. Is it using Math.random(), random.random() or any non-cryptographic random source for security-sensitive operations like tokens, session IDs or passwords?"

What it checks: Predictable random values used in security contexts.

Red flag: Math.random() or random.random() used for tokens, session IDs or any security function.

What to do: Use crypto.getRandomValues() in JavaScript or secrets module in Python for all security-sensitive random values.

These Prompts Are a Starting Point

These 10 checks cover the most common vulnerabilities we find in vibe-coded applications. They are not a substitute for a professional security audit, but they catch the issues that lead to the most breaches.

For the complete prompt library with advanced checks covering authorization, payment security, API design and infrastructure configuration, visit our AI security prompts page.

If your AI tool finds issues you are not sure how to fix, or if you want confidence that your app is ready for production, our quick audits start at $1,500 CAD.

Order a Security Audit Full Prompt Library

FAQ

Vibe Coding Security Questions

What is vibe coding?
Vibe coding is building software by describing what you want to an AI assistant and letting it generate the code. The developer focuses on the product vision while the AI handles implementation. It is fast but produces code that needs security review.
Are these prompts enough to make my app secure?
They catch the most common vulnerability patterns. They are a strong first pass but do not replace a professional audit. Business logic flaws and complex authentication bypasses require expert review.
Which AI tool should I use for these prompts?
These prompts work with ChatGPT, Claude, Gemini and Copilot. Use whichever tool you are already building with. The prompts produce consistent results across all platforms.