VibeCodeCheck.me

== AVAILABLE SECURITY MODULES ==

> secrets - PROTECT YOUR SECRETS

> injection - SQL INJECTIONS: CLOSE THE DOOR

> xss - CROSS-SITE SCRIPTING DEFENSE

> auth - AUTHENTICATION FORTRESS

> deps - DEPENDENCY DEFENSE

> headers - HTTP HEADERS SHIELD

> tools - SECURITY TOOLKIT

> owasp - OWASP TOP 10 BREAKDOWN

> clear - CLEAR TERMINAL

> about - ABOUT THIS TERMINAL

== PROTECT YOUR SECRETS ==

WARNING: HARDCODED CREDENTIALS DETECTED IN YOUR CODEBASE

// THE PROBLEM

Storing API keys, passwords, and tokens in your code is like hiding your house key under the doormat. Everybody knows to look there.

// THE SOLUTION

1. Use environment variables for sensitive data

2. Add .env files to your .gitignore

3. Scan your codebase for exposed secrets regularly

// PROMPT THESE INTO YOUR AI

💬 "Refactor my code to remove any hardcoded secrets like API keys or passwords and replace them with environment variables."

💬 "Show me how to load API keys from a .env file and use them securely in my app."

💬 "Add logic that uses os.environ to fetch sensitive variables instead of hardcoding them."

💬 "Write a .gitignore file and make sure .env is listed so I don’t push secrets to GitHub."

💬 "Scan my codebase and warn me if you detect any hardcoded credentials or secrets."

// MISSION CHECKLIST

✅ Check your code for hardcoded secrets

✅ Store sensitive data in environment variables

✅ Keep your .env file out of GitHub

✅ Prompt your AI to review your project for secret exposures

== SQL INJECTIONS: CLOSE THE DOOR ==

ALERT: SQL INJECTION VECTORS DETECTED IN YOUR APPLICATION

// THE PROBLEM

Unvalidated user input goes directly into SQL queries, allowing attackers to modify or extract data from your database.

// THE SOLUTION

1. Use parameterized queries or prepared statements

2. Validate all user inputs

3. Use an ORM (Object-Relational Mapping) library to reduce query risk

// PROMPT THESE INTO YOUR AI

💬 "Update my database queries to use parameterized statements instead of raw string concatenation."

💬 "Scan my codebase for any SQL queries that are vulnerable to injection and suggest secure replacements."

💬 "Add input validation to all form fields that interact with my database."

💬 "Show me how to implement SQL queries safely using an ORM like SQLAlchemy or Prisma."

💬 "Test this login form code for SQL injection vulnerabilities and explain how to fix them."

// ATTACK STRINGS TO AVOID

admin' --

admin' OR 1=1 --

'; DROP TABLE users; --

// MISSION CHECKLIST

✅ Eliminate raw SQL strings with user input

✅ Replace all queries with parameterized or prepared statements

✅ Add validation and sanitation for every user input field

✅ Use an ORM to abstract and protect your SQL layer

== AUTHENTICATION FORTRESS ==

SECURITY SCAN: WEAK AUTHENTICATION DEFENSES DETECTED

// THE PROBLEM

Poor authentication allows attackers to gain unauthorized access through brute force, credential stuffing, and password spraying attacks.

// THE SOLUTION

1. Implement strong password policies

2. Use secure password hashing (e.g. bcrypt, Argon2)

3. Add multi-factor authentication (MFA)

4. Implement account lockouts and rate limiting

// PROMPT THESE INTO YOUR AI

💬 "Set up secure password hashing in my app using bcrypt with salt and proper rounds."

💬 "Add account lockout logic that prevents brute force attacks after 5 failed login attempts."

💬 "Help me implement multi-factor authentication using email or an authenticator app."

💬 "Check my session management to ensure I'm using secure cookies with HttpOnly and SameSite flags."

💬 "Add rate limiting to my login endpoint to prevent credential stuffing attacks."

// COMMON AUTH MISTAKES

⛔ Storing passwords in plain text

⛔ Using weak hashing algorithms (MD5, SHA1)

⛔ No protection against brute force attacks

⛔ Insecure session or token handling

// MISSION CHECKLIST

✅ Use strong password hashing algorithms like bcrypt or Argon2

✅ Lock accounts after repeated failed login attempts

✅ Add multi-factor authentication for all users

✅ Use HTTPS for all authentication requests

✅ Set secure and HttpOnly cookie flags for sessions or tokens

== CROSS-SITE SCRIPTING DEFENSE ==

SECURITY ALERT: XSS VULNERABILITIES DETECTED

// THE PROBLEM

Attackers can inject malicious scripts into web pages viewed by other users, stealing cookies, session tokens, or redirecting users to malicious sites.

// THE SOLUTION

1. Sanitize all user input

2. Implement a strong Content Security Policy (CSP)

3. Use proper output encoding and escaping

// PROMPT THESE INTO YOUR AI

💬 "Scan my project for any spots where user input is injected into the DOM without sanitization."

💬 "Add proper escaping to all user-generated input before displaying it in HTML."

💬 "Help me implement a secure Content Security Policy header to prevent XSS attacks."

💬 "Add DOM sanitization using a library like DOMPurify to clean HTML safely."

💬 "Replace any dangerouslySetInnerHTML or innerHTML usage with safe alternatives."

// COMMON ATTACK VECTORS

<a href="javascript:alert('XSS')">Click me</a>

// MISSION CHECKLIST

✅ Sanitize and validate all user inputs

✅ Escape or encode dynamic values before inserting into HTML

✅ Add Content Security Policy headers to block inline scripts

✅ Use libraries like DOMPurify to safely render HTML

✅ Store session tokens in HttpOnly cookies

== DEPENDENCY DEFENSE ==

SECURITY SCAN: VULNERABLE DEPENDENCIES DETECTED

// THE PROBLEM

Your app is only as secure as its weakest dependency. Outdated packages can leave your app vulnerable to known exploits.

// THE SOLUTION

1. Regularly audit dependencies for vulnerabilities

2. Set up automated scanning and update checks

3. Keep all packages and frameworks updated

4. Use lockfiles and version pinning for consistency

// PROMPT THESE INTO YOUR AI

💬 "Scan my package.json for outdated or vulnerable dependencies and recommend updates."

💬 "Add automated dependency scanning to my CI/CD pipeline using GitHub Actions or another tool."

💬 "Check for known CVEs in my requirements.txt or Pipfile and suggest secure versions."

💬 "Enable Dependabot or an equivalent to automatically track and suggest package updates."

💬 "Explain how to use lockfiles and version pinning to prevent dependency drift."

// MISSION CHECKLIST

✅ Scan dependencies for known vulnerabilities regularly

✅ Keep your package files updated (npm, pip, gem, etc.)

✅ Use lockfiles and pin versions to avoid unexpected changes

✅ Automate scanning in your CI/CD workflow

== HTTP HEADERS SHIELD ==

SECURITY SCAN: MISSING SECURITY HEADERS DETECTED

// THE PROBLEM

Missing security headers leave your app vulnerable to clickjacking, MIME sniffing, and other browser-based attacks.

// THE SOLUTION

1. Set essential security headers on all responses

2. Define a Content Security Policy (CSP)

3. Enable HTTPS with HSTS headers

// PROMPT THESE INTO YOUR AI

💬 "Add all recommended HTTP security headers to my Express.js app using Helmet."

💬 "Enable CSP, X-Frame-Options, HSTS, and other headers in my Django project."

💬 "Explain what each security header does and add them to my server configuration."

💬 "Help me write a custom Content Security Policy that blocks inline scripts and restricts external domains."

💬 "Test my deployed site for missing headers and suggest what I need to fix."

// ESSENTIAL HEADERS TO IMPLEMENT

🛡️ Content-Security-Policy – Prevents XSS by controlling what scripts and resources are allowed

🛡️ X-Frame-Options: DENY – Stops clickjacking by blocking iframe embedding

🛡️ Strict-Transport-Security – Enforces HTTPS and prevents downgrade attacks

🛡️ X-Content-Type-Options: nosniff – Prevents MIME-type sniffing attacks

// MISSION CHECKLIST

✅ Add all critical HTTP security headers

✅ Write and apply a Content Security Policy

✅ Enforce HTTPS using HSTS

✅ Test your site with online header scanners regularly

== SECURITY TOOLKIT ==

SECURITY ALERT: ARM YOURSELF WITH THE RIGHT TOOLS

// ESSENTIAL SECURITY AREAS TO COVER

🛠️ Scanning & Testing

🔍 Dependency Management

🔑 Secret Detection

🧱 Runtime Protection & Monitoring

📚 Skill Building & Practice

// PROMPT THESE INTO YOUR AI

💬 "What are the best free tools to scan my web app for security vulnerabilities?"

💬 "Set up secret scanning and dependency checks in my project using open-source tools."

💬 "Add a GitHub Action to my repo that runs security scans on every pull request."

💬 "Install a web application firewall or local tool to block brute force attacks."

💬 "Help me practice finding and fixing vulnerabilities using beginner-friendly labs."

// EXAMPLE PROMPT OUTPUTS MIGHT INCLUDE

• OWASP ZAP or Burp Suite for web app scanning

• npm audit, pip-audit, or Snyk for dependency checks

• GitGuardian or Gitleaks for secret detection

• Fail2ban or ModSecurity for runtime defense

• WebGoat, PortSwigger Academy, or HackTheBox for hands-on training

// MISSION CHECKLIST

✅ Ask your AI to recommend tools specific to your language or framework

✅ Set up security scans for code, secrets, and dependencies

✅ Use runtime protection tools if you’re deploying to a server

✅ Practice ethical hacking to build security awareness

== OWASP TOP 10 BREAKDOWN ==

SECURITY ALERT: OWASP TOP 10 VULNERABILITIES

// WHAT IS OWASP?

The Open Web Application Security Project (OWASP) identifies the most critical security risks to web applications.

// PROMPT THESE INTO YOUR AI

💬 "Explain each of the OWASP Top 10 vulnerabilities to me like I'm new to web development."

💬 "Scan my codebase and tell me if I’m vulnerable to any OWASP Top 10 risks."

💬 "Help me implement access control to protect against broken access control."

💬 "Audit my app for cryptographic failures and suggest secure encryption methods."

💬 "Show me how to log and monitor security events in my app for intrusion detection."

// THE OWASP TOP 10 (2021) — QUICK VIEW

1. Broken Access Control – Users accessing unauthorized data or functionality.

Defense: Prompt your AI to implement RBAC and route-level access checks.

2. Cryptographic Failures – Sensitive data isn’t encrypted properly.

Defense: Ask for TLS setup, strong encryption, and secure key storage.

3. Injection – Malicious input is executed as code.

Defense: Use prompts to refactor with parameterized queries and input validation.

4. Insecure Design – Weak app design leaves gaps for attackers.

Defense: Ask your AI to guide you through threat modeling for your project.

5. Security Misconfiguration – Default, exposed, or weak setups.

Defense: Use prompts to harden server configs and automate secure defaults.

6. Vulnerable Components – Using outdated packages with known issues.

Defense: Ask AI to scan dependencies and set up automated updates.

7. Identification & Authentication Failures – Broken login systems.

Defense: Prompt your AI to implement MFA, strong password policies, and secure sessions.

8. Software & Data Integrity Failures – Tampered code or updates.

Defense: Prompt AI to add digital signature checks or secure CI/CD pipelines.

9. Security Logging & Monitoring Failures – Breaches go undetected.

Defense: Ask your AI to help you log auth events and add alerts for suspicious behavior.

10. Server-Side Request Forgery (SSRF) – App fetches untrusted external URLs.

Defense: Use prompts to add allow-lists, input validation, and disable redirects.

// MISSION CHECKLIST

✅ Understand each vulnerability category with AI assistance

✅ Scan your application for OWASP Top 10 risks

✅ Prompt your AI to patch and protect against each weakness

✅ Stay updated with the latest OWASP Top 10 versions and changes

== ABOUT VIBE CODE CHECK ==

__     _____ ____  _____    ____ ___  ____  _____    ____ _   _ _____ ____ _  __
\ \   / /_ _| __ )| ____|  / ___/ _ \|  _ \| ____|  / ___| | | | ____/ ___| |/ /
 \ \ / / | ||  _ \|  _|   | |  | | | | | | |  _|   | |   | |__| |  _|| |   | ' / 
  \ V /  | || |_) | |___  | |__| |_| | |_| | |___  | |___| |  | | |__| |___| . \ 
   \_/  |___|____/|_____|  \____\___/|____/|_____|  \____|_|  |_|_____\____|_|\_\

// PROJECT MISSION

Vibe Code Check is an educational tool designed to help developers write more secure code through simple, actionable guidance.

// WHO IS THIS FOR?

- Junior developers learning web security fundamentals

- Teams that want a quick reference for security best practices

- Anyone who wants to improve their vibe code's security posture

// CREATOR

Built with 💻 by Rachel Larralde

Twitter: @witchaudio_

// DISCLAIMER

This tool provides general security guidance but is not a substitute for a professional security audit. Always consult with security experts for production systems.

// VERSION

vibecodecheck.me v1.0

Last Updated: 2025-03-29