AI coding tools ship working features faster than they ship a working security model. This checklist covers the items that actually expose customer data or run up bills: auth, database rules, secrets, admin routes, webhooks, uploads, and audit logging.
Confirm that one user cannot read or write another user's rows. With Supabase, this means Row Level Security is enabled on every table and the policies are scoped to the authenticated user. This is the single most common critical failure in AI-built apps.
No Stripe, OpenAI, or service-role keys in the client bundle. Every private and admin route enforced server-side, not just hidden in the UI. Webhooks verify signatures before acting.
Safe file uploads, an audit trail for sensitive actions, separated demo and production data, and error monitoring so failures are visible before customers report them.
Work top to bottom. The earliest items are the most likely to leak data or money.
A checklist tells you what to verify. A vibe-coded app security review confirms each item against your actual code and data model.
Why Row Level Security is the top failure in AI-built apps and how to verify it.
When an automated scan is enough and when a human production review is needed.
What the public URL scorecard checks before you book a deeper review.