[{"data":1,"prerenderedAt":220},["ShallowReactive",2],{"blog-checklists/ai-generated-code-checklist":3},{"id":4,"title":5,"body":6,"category":197,"date":198,"dateModified":198,"description":199,"draft":200,"extension":201,"faq":202,"featured":200,"headerVariant":205,"image":206,"keywords":206,"meta":207,"navigation":208,"ogDescription":209,"ogTitle":206,"path":210,"readTime":206,"schemaOrg":211,"schemaType":212,"seo":213,"sitemap":214,"stem":215,"tags":216,"twitterCard":218,"__hash__":219},"blog/blog/checklists/ai-generated-code-checklist.md","AI Generated Code Security Checklist: 15-Item Guide Before Production",{"type":7,"value":8,"toc":191},"minimark",[9,16,19,22,32,57,79,97,112,127,132,135,138,160,179],[10,11,12],"tldr",{},[13,14,15],"p",{},"AI coding tools write functional code quickly, but security is often an afterthought. Before deploying AI-generated code: search for hardcoded secrets, verify database access controls, test authentication server-side, and validate all user inputs. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can. This checklist applies to code from Cursor, Bolt, Lovable, ChatGPT, Copilot, or any AI assistant.",[13,17,18],{},"AI tools are incredible at getting you from zero to working prototype fast. The problem is that \"working\" and \"secure\" are two very different things. Run through this list before you ship -- it takes 30 minutes and could save you from a very bad day.",[20,21],"print-button",{},[23,24,25],"warning-box",{},[13,26,27,31],{},[28,29,30],"strong",{},"40%"," of AI-generated code samples contain at least one security vulnerability, according to a 2025 Stanford study.",[33,34,36,41,45,49,53],"checklist-section",{"title":35},"Quick Checklist (5 Critical Items)",[37,38],"checklist-item",{"description":39,"label":40},"Search for: sk_, pk_, api_key, apiKey, secret, password, token","Search for API key patterns",[37,42],{"description":43,"label":44},"Check .gitignore includes .env, .env.local, and similar files","Verify .env is gitignored",[37,46],{"description":47,"label":48},"AI often enables RLS on some tables but forgets others","Check RLS is enabled on ALL tables",[37,50],{"description":51,"label":52},"Frontend route protection is not security. Backend must verify user.","Verify server-side auth checks",[37,54],{"description":55,"label":56},"As User A, try to access User B's data by modifying IDs","Test data isolation",[33,58,61,64,68,71,75],{"title":59,"count":60},"Hardcoded Secrets","5",[37,62],{"description":63,"label":40},"Search for: sk_, pk_, api_key, apiKey, secret, password, token, SUPABASE_, OPENAI_. How to secure API keys",[37,65],{"description":66,"label":67},"Look for: YOUR_API_KEY, xxx, TODO, FIXME in configuration. How to find placeholder secrets","Check for placeholder values",[37,69],{"description":70,"label":44},"Check .gitignore includes .env, .env.local, and similar files. How to secure .env files",[37,72],{"description":73,"label":74},"Run your app and verify no secrets appear in request headers or bodies. How to inspect network requests","Check browser DevTools Network tab",[37,76],{"description":77,"label":78},"Frontend should only have NEXT_PUBLIC_, VITE_, or similar prefixed vars. How to separate client/server keys","Verify public vs private key usage",[33,80,83,87,90,93],{"title":81,"count":82},"Database Security","4",[37,84],{"description":85,"label":86},"RLS for Supabase, Security Rules for Firebase, or equivalent. How to set up Supabase RLS","Verify database access controls exist",[37,88],{"description":89,"label":48},"AI often enables RLS on some tables but forgets others. How to audit RLS on all tables",[37,91],{"description":92,"label":56},"As User A, try to access User B's data by modifying IDs. How to test data isolation",[37,94],{"description":95,"label":96},"Verify queries use parameterized statements, not string concatenation. How to prevent SQL injection","Check for SQL injection",[33,98,101,104,108],{"title":99,"count":100},"Authentication","3",[37,102],{"description":103,"label":52},"Frontend route protection is not security. Backend must verify user. How to implement server-side auth",[37,105],{"description":106,"label":107},"Try /dashboard, /admin, /settings without logging in. How to test protected routes","Test accessing protected routes directly",[37,109],{"description":110,"label":111},"Logout should invalidate sessions. Sessions should expire. How to configure sessions","Check session handling",[33,113,115,119,123],{"title":114,"count":100},"Input Handling",[37,116],{"description":117,"label":118},"Enter \u003Cscript>alert(1)\u003C/script> and verify it displays as text. How to prevent XSS","Test XSS in text inputs",[37,120],{"description":121,"label":122},"AI often only adds client-side validation. Test submitting bad data directly to API. How to validate on server","Check for server-side validation",[37,124],{"description":125,"label":126},"If uploads exist, check type restrictions and size limits are enforced. How to secure file uploads","Verify file upload restrictions",[128,129,131],"h2",{"id":130},"why-ai-code-needs-extra-review","Why AI Code Needs Extra Review",[13,133,134],{},"AI coding assistants are trained to produce working code, not secure code. They optimize for functionality and user satisfaction, not security best practices. Additionally, training data includes plenty of insecure code examples that the AI learns from.",[13,136,137],{},"Common patterns in AI-generated code: leaving example API keys in place, implementing authentication only on the frontend, forgetting to enable database security features, and skipping input validation.",[139,140,141,148,154],"faq-section",{},[142,143,145],"faq-item",{"question":144},"Is AI-generated code secure?",[13,146,147],{},"AI-generated code is functional but often lacks security best practices. Studies show 40% of AI-generated code contains at least one vulnerability. Common issues include exposed API keys, missing database access controls, and frontend-only authentication. Always review AI code before production.",[142,149,151],{"question":150},"Which AI tools are safest?",[13,152,153],{},"All AI coding tools require security review. Some (like Cursor) have better context awareness, but none are immune to security issues. The difference is in degree, not kind. Review code from any AI tool using this checklist.",[142,155,157],{"question":156},"Should I avoid AI coding tools?",[13,158,159],{},"No, AI tools dramatically increase productivity. The key is treating AI output as a draft that needs review, not production-ready code. Use AI for rapid development, but always run security checks before deploying.",[161,162,163,169,174],"related-articles",{},[164,165],"related-card",{"description":166,"href":167,"title":168},"Security for Cursor projects","/blog/checklists/cursor-security-checklist","Cursor Security Checklist",[164,170],{"description":171,"href":172,"title":173},"Security for Bolt projects","/blog/checklists/bolt-security-checklist","Bolt.new Security Checklist",[164,175],{"description":176,"href":177,"title":178},"Database security for AI apps","/blog/how-to/setup-supabase-rls","Set Up Supabase RLS",[180,181,184,188],"cta-box",{"href":182,"label":183},"/","Start Free Scan",[128,185,187],{"id":186},"scan-your-ai-generated-code","Scan Your AI-Generated Code",[13,189,190],{},"Our scanner is built specifically for AI-generated apps. Catch what the AI missed.",{"title":192,"searchDepth":193,"depth":193,"links":194},"",2,[195,196],{"id":130,"depth":193,"text":131},{"id":186,"depth":193,"text":187},"checklists","2026-01-22","Security checklist for reviewing AI-generated code from Cursor, Bolt, Lovable, ChatGPT, or any AI coding tool before deploying to production.",false,"md",[203],{"question":144,"answer":204},"AI-generated code is functional but often lacks security best practices. Studies show 40% of AI-generated code contains at least one vulnerability. Common issues include exposed API keys, missing database access controls, and frontend-only authentication.","green",null,{},true,"Security checklist for AI-generated code from Cursor, Bolt, Lovable, and more.","/blog/checklists/ai-generated-code-checklist","[object Object]","HowTo",{"title":5,"description":199},{"loc":210},"blog/checklists/ai-generated-code-checklist",[217],"Security Checklist","summary_large_image","62-K4-Zox6-YxvKMVtQhhubGD6k10OO6BqP7zotQUxc",1775843918547]