30 security rules for AI VIBE CODING - PAKWAP.COM https://pakwap.com/ RSS - PAKWAP.COM https://pakwap.com/assets/img/images/logo.png RSS - PAKWAP.COM https://pakwap.com/ admin@pakwap.com (admin) admin@pakwap.com (admin) Sat, 07 Mar 2026 12:29:46 +0500 1. Set session expiration (JWT max 7 days + refresh rotation)<br> 2. Never use AI-built auth. Use Clerk, Supabase Auth, or Auth0<br> 3. Never paste API keys into AI chats. Use process.env<br> 4. .gitignore is your first file in every project, not the last<br> 5. Rotate secrets every 90 days minimum<br> 6. Verify every package the AI suggests actually exists before installing<br> 7. Always ask for newer, more secure package versions<br> 8. Run npm audit fix right after building<br> 9. Sanitize every input. Use parameterized queries always<br> 10. Enable Row-Level Security from day one<br> 11. Remove all console.log statements before shipping<br> 12. CORS should only allow your production domain. Never wildcard<br> 13. Validate all redirect URLs against an allow-list<br> 14. Apply auth + rate limits to every endpoint, including mobile APIs<br> 15. Rate limit everything from day one. 100 req/hour per IP is a start<br> 16. Password reset routes get their own strict limit (3 per email/hour)<br> 17. Cap AI API costs in your dashboard AND in your code<br> 18. Add DDoS protection via Cloudflare or Vercel edge config<br> 19. Lock down storage buckets. Users should only access their own files<br> 20. Limit upload sizes and validate file type by signature, not extension<br> 21. Verify webhook signatures before processing any payment data<br> 22. Use Resend or SendGrid with proper SPF/DKIM records<br> 23. Check permissions server-side. UI-level checks are not security<br> 24. Ask the AI to act as a security engineer and review your code<br> 25. Ask the AI to try and hack your app. It will find things you won&#039;t<br> 26. Log critical actions: deletions, role changes, payments, exports<br> 27. Build a real account deletion flow. GDPR fines are not fun<br> 28. Automate backups and test restoration. An untested backup is nothing<br> 29. Keep test and production environments completely separate<br> 30. Never let test webhooks touch real systems https://pakwap.com/public/index.php/topics/511?pid=769 30 security rules for AI VIBE CODING REHAN Fri, 06 Mar 2026 23:32:58 +0500 Messages https://pakwap.com/public/index.php/topics/511?pid=769