← The Owens Vibe Coding & Development Institute
Rigor toolkit

🔒 The TOVCDI Security Audit Checklist

The OWASP Top 10, translated for builders. The security pass every shipped app needs.

🔒 The TOVCDI Security Audit Checklist

The deep version of the Pre-Ship Checklist's "Lock It Down" section. This is the OWASP Top 10, translated for builders — the hacks that actually happen to vibe-coded apps, and how to check for each. Pairs with Lesson L3 — Security Essentials.

How to run it

Go line by line on your own app. For each item: find where it lives in your code, then verify. "I think the AI handled it" is not a check. Looking at the actual line is a check.

🔑 1. Secrets & keys

  • No API keys, passwords, or tokens hardcoded anywhere in the source
  • Secrets live in environment variables (.env) and .env is in .gitignore
  • No secrets committed in your Git history (not just the current files)
  • Frontend code contains no secret keys (anything shipped to the browser is public)

🚪 2. Authentication & authorization

  • Auth checks run on the server/backend, never trusted from the frontend alone
  • "Can this user do this?" is verified for every protected action (not just login)
  • You can't reach another user's data by changing an ID in the URL (IDOR — test it!)
  • Passwords are hashed (bcrypt/argon2), never stored or logged in plain text
  • Sessions/tokens expire and can be revoked

🧹 3. Input validation & injection

  • All user input is validated and sanitized on the server
  • Database queries are parameterized (no string-concatenated SQL → SQL injection)
  • User content rendered to the page is escaped (no raw HTML injection → XSS)
  • File uploads are type/size-checked and stored safely

🗄️ 4. Data exposure & storage

  • Your database access rules are locked down (the #1 vibe-coder leak — open Firebase/Supabase)
  • API responses return only the fields needed (no leaking password hashes, emails, internal IDs)
  • Sensitive data is encrypted at rest where it matters
  • Error messages are generic to users (stack traces and DB errors stay server-side)

🌐 5. Transport & configuration

  • Everything runs over HTTPS (no plain HTTP in production)
  • Security headers set (HSTS, basic CSP, etc.) where applicable
  • CORS is restricted to origins you actually trust (not * for authed APIs)
  • Debug mode is OFF in production

📦 6. Dependencies & abuse

  • Ran a dependency audit (npm audit / equivalent) and fixed the criticals
  • Dependencies are reasonably current (no abandoned, known-vulnerable packages)
  • Sensitive actions (login, signup, password reset) are rate-limited against brute force
  • No secrets or PII written to logs

🧪 The 3 tests every builder should actually run

  1. The URL test: log in as User A, then try to load User B's data by changing an ID. Blocked? Good.
  2. The injection test: type '; DROP TABLE-- and <script>alert(1)</script> into your forms. Nothing weird happens? Good.
  3. The secret sweep: search your whole repo (and history) for key, secret, password, token. Nothing real exposed? Good.

Security isn't a feature you add at the end. It's a lens you build through.

Build It Right, Or Don't Build It At All. 🏛️

Other rigor resources

Pre-Ship Checklist

Are You Actually Done?

Code Review Rubric

Score any code 0–10 against B.U.I.L.D.

API Design Checklist

Consistent, validated, versioned, safe APIs.

Data Modeling Cheat Sheet

Relationships, normalization, indexing rules of thumb.

Production-Readiness Checklist

Is this actually ready for real users & scale?

System Design Template

The whiteboard framework, step by step.

Git Workflow Reference

The commands and flows you actually use.

🏛️ Build It Right, Or Don't Build It At All.

🔒 The TOVCDI Security Audit Checklist — TOVCDI | HYVE CARES