Apr 16 (edited) • Vibe Coding
Vibe coding - Security best practices
How to build AI tools securely (you’re probably doing it wrong)
*1 Lock down API keys
  • Store secrets in Vault (Supabase → Database → Vault) so keys never touch the client.
  • For high‑value credentials like OpenAI or Stripe, route calls through a server function; never ship them in JavaScript.
  • Rotate keys and keep them out of repos or logs—stick to environment variables backed by encrypted storage.
*2 Add your own rate limits
  • Supabase Auth throttles login endpoints by default, but Edge Functions & custom APIs aren’t rate‑limited out of the box.
  • Drop a Redis‑based limiter in middleware, or prompt Lovable to scaffold limits on every endpoint.
*3 Harden against DDoS
  • Netlify’s free tier offers only basic protection; large floods still hit your origin and cost money.
  • Use hosts with built‑in firewalls like Cloudflare “Under Attack” mode or Vercel Firewall DDoS mitigation.
*4 Always enable Row‑Level Security (RLS)
  • Supabase tables in the public schema are readable by any valid API key until you flip the RLS switch.
  • Turn it on via Lovable’s UI or directly in Supabase Dashboard, then write policies that allow only the rows a user owns.
*5 Run a quick security audit before shipping
  1. Open DevTools → Network.
  2. Hunt for hard‑coded keys or tokens in request headers (a common slipup).
  3. Verify responses aren’t over‑fetching (e.g., returning all users).
  4. Confirm RLS denies unauthorized requests—even if the client tamps with IDs.
*6 Bonus: OAuth beats raw API keys for user auth
  • OAuth tokens are short‑lived and scoped, reducing blast radius compared with long‑lived keys.
  • Keys are still fine for server‑to‑server calls—just keep them server‑side and rotate often.
Key takeaways
  • Vault + server functions keep secrets off the frontend.
  • Manual rate limits & DDoS firewalls save you from surprise bills.
  • RLS is mandatory—tables are public until you say otherwise.
  • Audit in DevTools; if you can see a key, so can attackers.
  • OAuth for users, keys for servers gives you the best of both worlds.
Ship fast, but ship securely—your future self (and your users) will thank you.
Keep Vibing!
8
5 comments
Didac Fernandez
5
Vibe coding - Security best practices
AutoSkool.Club AI
skool.com/autoskool-club
To become a top AI Practitioner, learning how to manage all these AI tools proficiently, is mandatory. I will teach you how to use them like a pro.
Leaderboard (30-day)
Powered by