TL;DR
This glossary explains security terms in plain English for non-technical founders. You'll learn what words like API key, authentication, and SQL injection actually mean without the jargon. Bookmark this page and come back whenever you encounter an unfamiliar term while building or securing your app.
Security documentation is full of acronyms and technical terms that can make your eyes glaze over. If you've built an app using Cursor, Bolt, Lovable, or another AI coding tool, you probably didn't sign up to become a security expert. But understanding the basics helps you protect your users and your business.
This glossary is written specifically for vibe coders. Each definition explains what the term means, why it matters to you, and what to do about it. No computer science degree required.
Core Concepts
Vibe Coding
Vibe coding is the practice of building software applications using AI-powered code generation tools like Cursor, Bolt, Lovable, and v0. Users describe what they want in natural language, and the AI writes the code. This approach allows non-technical founders to create functional apps without traditional programming skills.
The term "vibe coding" comes from the idea that you describe the vibe or feel of what you want, rather than writing precise technical specifications.
Example: "I want a landing page with a hero section, pricing cards, and a contact form" becomes a working website in minutes.
API Key
An API key is a secret password that lets your app talk to other services like Stripe, OpenAI, or Firebase. Think of it like a key to someone's house. If you leave it under the doormat (visible in your code), anyone can walk in.
API keys should never be visible in your frontend code, committed to GitHub, or stored in files that are accessible from a browser.
Why it matters: If someone gets your OpenAI API key, they can run up thousands of dollars in charges. If they get your Stripe key, they might access customer payment data.
Environment Variables
Environment variables are a way to store secrets like API keys outside your code. Instead of writing your Stripe key directly in your code, you store it in a special file (usually called .env) that never gets uploaded to GitHub or shown in your browser.
Every deployment platform (Vercel, Netlify, Railway) has a section where you can add environment variables safely.
What to do: Move all your API keys and secrets to environment variables. Never commit your .env file to version control.
Authentication and Access
Authentication
Authentication is the process of verifying who someone is. When users log in with a username and password, that's authentication. It answers the question "Are you who you claim to be?"
Good authentication prevents strangers from pretending to be your users.
Common methods: Email and password, magic links, social login (Sign in with Google), and two-factor authentication.
Authorization
Authorization is different from authentication. While authentication verifies who you are, authorization determines what you're allowed to do. Just because someone has logged in doesn't mean they should see everything.
For example, a regular user shouldn't be able to access admin features. That's authorization.
Example: A user logs in (authentication), then the app checks if they're an admin before showing the dashboard (authorization).
Row Level Security (RLS)
Row Level Security is a database feature (especially in Supabase and PostgreSQL) that controls which rows of data each user can see or modify. Without RLS, a logged-in user might be able to see everyone else's data.
If you're using Supabase, enabling RLS is one of the most important security steps you can take.
What it does: User A can only see their own orders. User B can only see their orders. The database enforces this automatically.
Common Vulnerabilities
SQL Injection
SQL injection is an attack where someone puts database commands into form fields or URLs. If your app isn't protected, these commands get executed, letting attackers read, modify, or delete your database.
Modern frameworks and ORMs (like Prisma) protect against SQL injection automatically. If you're using raw database queries, you need to be more careful.
Example attack: Instead of typing their name in a form, an attacker types code that says "delete all users from the database."
Cross-Site Scripting (XSS)
XSS is when an attacker injects malicious code (usually JavaScript) into your website that runs in other users' browsers. This can steal session tokens, redirect users to fake sites, or capture keystrokes.
Most modern frameworks like React escape output automatically, which prevents many XSS attacks. But if you use dangerouslySetInnerHTML or similar features, you might be at risk.
How it happens: An attacker posts a comment containing JavaScript. When other users view that comment, the script runs in their browser.
Cross-Site Request Forgery (CSRF)
CSRF tricks a logged-in user into making requests they didn't intend. If you're logged into your bank and visit a malicious website, that site might try to make your browser send a "transfer money" request to your bank.
CSRF protection usually involves special tokens that prove a request came from your own website, not somewhere else.
Protection: Most frameworks include CSRF protection. Make sure it's enabled for forms and state-changing actions.
Web Security Basics
HTTPS/SSL
HTTPS encrypts the data sent between your users' browsers and your website. Without HTTPS, anyone on the same network (like a coffee shop WiFi) can see passwords, form data, and other sensitive information in plain text.
Today, HTTPS is basically required. Most deployment platforms provide it for free.
Check: Your website URL should start with https:// (not http://). Look for the padlock icon in the browser.
Security Headers
Security headers are instructions your server sends to browsers telling them how to behave securely. They can prevent clickjacking, stop your site from being embedded in malicious frames, and control which scripts can run.
Common security headers include Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.
How to add them: In Vercel, you add headers in vercel.json. In Netlify, use the _headers file.
CORS (Cross-Origin Resource Sharing)
CORS is a security feature that controls which websites can make requests to your backend. Without CORS restrictions, any website could make requests to your API pretending to be your app.
CORS errors are frustrating, but they exist to protect your users. The fix is to configure which origins (domains) are allowed to access your API.
What to do: Configure your backend to allow requests from your frontend domain, but not from everywhere (*).
Data Protection
Encryption at Rest
Encryption at rest means your data is encrypted when it's stored. If someone steals your database files, they can't read the data without the encryption keys.
Most managed database services (Supabase, PlanetScale, Firebase) encrypt data at rest by default.
Check: Review your database provider's security documentation to confirm encryption is enabled.
Encryption in Transit
Encryption in transit means data is encrypted while it travels over the network. This is what HTTPS provides for web traffic. For database connections, look for SSL/TLS connection options.
Example: When your app connects to Supabase, that connection should use SSL so the data can't be intercepted.
Data Breach
A data breach is when unauthorized people access your data. This can happen through hacking, exposed credentials, misconfigured databases, or insider threats. Breaches can result in legal penalties, lost customers, and reputation damage.
According to IBM's 2024 report, the average cost of a data breach is $4.88 million.
Prevention: Regular security scanning, proper access controls, and following security best practices reduce breach risk.
Quick Reference Table
| Term | What It Means | Why You Should Care |
|---|---|---|
| API Key | Secret password for services | Exposed keys lead to charges and data theft |
| Authentication | Verifying who someone is | Prevents impersonation |
| Authorization | What someone is allowed to do | Prevents unauthorized access |
| RLS | Database row-level access control | Keeps user data private |
| SQL Injection | Attack via database commands | Can destroy or steal all data |
| XSS | Malicious scripts in your site | Steals user sessions and data |
| HTTPS | Encrypted web traffic | Protects data in transit |
| Security Headers | Browser security instructions | Prevents various attacks |
| CORS | Cross-origin request control | Limits who can use your API |
What Should You Do Next?
Now that you know the terminology, here are your next steps:
- Run a security scan to find obvious issues like exposed API keys and missing HTTPS.
- Check your environment variables to make sure secrets aren't in your code.
- Enable RLS if you're using Supabase or another PostgreSQL database.
- Add security headers to your deployment configuration.
You don't need to become a security expert. You just need to cover the basics and use tools that help you find problems before attackers do.
What is vibe coding?
Vibe coding is the practice of building software applications using AI-powered code generation tools like Cursor, Bolt, Lovable, and v0. Users describe what they want in natural language, and the AI writes the code. This approach allows non-technical founders to create functional apps without traditional programming skills.
What is an API key?
An API key is a secret password that lets your app talk to other services like Stripe, OpenAI, or Firebase. If someone gets your API key, they can use those services as if they were you, which can result in unexpected charges or data access. API keys should never be visible in your code or accessible from a browser.
What does authentication mean in web security?
Authentication is the process of verifying who someone is. When users log in with a username and password, that's authentication. It answers the question "Are you who you claim to be?" This is different from authorization, which determines what an authenticated user is allowed to do.
Why do I need to learn security terms if I'm not technical?
Understanding basic security terms helps you communicate with developers, evaluate security tools, and make informed decisions about your app's safety. You don't need deep technical knowledge, but knowing what terms like "exposed API key" or "SQL injection" mean helps you recognize problems and take appropriate action.
Which security terms should I learn first?
Start with API keys, authentication, authorization, and HTTPS. These are the most common terms you'll encounter and the most immediately relevant to securing a vibe-coded app. From there, learn about RLS if you use Supabase, and security headers when you're ready to harden your deployment.
Ready to Check Your App's Security?
Run a free security scan and get plain-English results you can actually understand.
Start Free Scan