[{"data":1,"prerenderedAt":520},["ShallowReactive",2],{"blog-glossary/vibe-coding-security-glossary":3},{"id":4,"title":5,"body":6,"category":493,"date":494,"dateModified":494,"description":495,"draft":496,"extension":497,"faq":498,"featured":496,"headerVariant":505,"image":506,"keywords":506,"meta":507,"navigation":508,"ogDescription":509,"ogTitle":506,"path":510,"readTime":511,"schemaOrg":512,"schemaType":513,"seo":514,"sitemap":515,"stem":516,"tags":517,"twitterCard":518,"__hash__":519},"blog/blog/glossary/vibe-coding-security-glossary.md","Vibe Coding Security Glossary - Plain English Definitions",{"type":7,"value":8,"toc":460},"minimark",[9,16,19,22,27,32,35,38,41,45,48,51,54,58,61,64,67,71,75,78,81,84,88,91,94,97,101,104,107,110,114,118,121,124,127,131,134,137,140,144,147,150,153,157,161,164,167,170,174,177,180,183,187,190,193,196,200,204,207,210,213,217,220,223,227,230,233,236,240,357,361,364,393,396,429,441],[10,11,12],"tldr",{},[13,14,15],"p",{},"This glossary explains security terms in plain English for non-technical founders. You'll learn what words like API key, authentication, and SQL injection actually mean without the jargon. Bookmark this page and come back whenever you encounter an unfamiliar term while building or securing your app.",[13,17,18],{},"Security documentation is full of acronyms and technical terms that can make your eyes glaze over. If you've built an app using Cursor, Bolt, Lovable, or another AI coding tool, you probably didn't sign up to become a security expert. But understanding the basics helps you protect your users and your business.",[13,20,21],{},"This glossary is written specifically for vibe coders. Each definition explains what the term means, why it matters to you, and what to do about it. No computer science degree required.",[23,24,26],"h2",{"id":25},"core-concepts","Core Concepts",[28,29,31],"h3",{"id":30},"vibe-coding","Vibe Coding",[13,33,34],{},"Vibe coding is the practice of building software applications using AI-powered code generation tools like Cursor, Bolt, Lovable, and v0. Users describe what they want in natural language, and the AI writes the code. This approach allows non-technical founders to create functional apps without traditional programming skills.",[13,36,37],{},"The term \"vibe coding\" comes from the idea that you describe the vibe or feel of what you want, rather than writing precise technical specifications.",[13,39,40],{},"Example:\n\"I want a landing page with a hero section, pricing cards, and a contact form\" becomes a working website in minutes.",[28,42,44],{"id":43},"api-key","API Key",[13,46,47],{},"An API key is a secret password that lets your app talk to other services like Stripe, OpenAI, or Firebase. Think of it like a key to someone's house. If you leave it under the doormat (visible in your code), anyone can walk in.",[13,49,50],{},"API keys should never be visible in your frontend code, committed to GitHub, or stored in files that are accessible from a browser.",[13,52,53],{},"Why it matters:\nIf someone gets your OpenAI API key, they can run up thousands of dollars in charges. If they get your Stripe key, they might access customer payment data.",[28,55,57],{"id":56},"environment-variables","Environment Variables",[13,59,60],{},"Environment variables are a way to store secrets like API keys outside your code. Instead of writing your Stripe key directly in your code, you store it in a special file (usually called .env) that never gets uploaded to GitHub or shown in your browser.",[13,62,63],{},"Every deployment platform (Vercel, Netlify, Railway) has a section where you can add environment variables safely.",[13,65,66],{},"What to do:\nMove all your API keys and secrets to environment variables. Never commit your .env file to version control.",[23,68,70],{"id":69},"authentication-and-access","Authentication and Access",[28,72,74],{"id":73},"authentication","Authentication",[13,76,77],{},"Authentication is the process of verifying who someone is. When users log in with a username and password, that's authentication. It answers the question \"Are you who you claim to be?\"",[13,79,80],{},"Good authentication prevents strangers from pretending to be your users.",[13,82,83],{},"Common methods:\nEmail and password, magic links, social login (Sign in with Google), and two-factor authentication.",[28,85,87],{"id":86},"authorization","Authorization",[13,89,90],{},"Authorization is different from authentication. While authentication verifies who you are, authorization determines what you're allowed to do. Just because someone has logged in doesn't mean they should see everything.",[13,92,93],{},"For example, a regular user shouldn't be able to access admin features. That's authorization.",[13,95,96],{},"Example:\nA user logs in (authentication), then the app checks if they're an admin before showing the dashboard (authorization).",[28,98,100],{"id":99},"row-level-security-rls","Row Level Security (RLS)",[13,102,103],{},"Row Level Security is a database feature (especially in Supabase and PostgreSQL) that controls which rows of data each user can see or modify. Without RLS, a logged-in user might be able to see everyone else's data.",[13,105,106],{},"If you're using Supabase, enabling RLS is one of the most important security steps you can take.",[13,108,109],{},"What it does:\nUser A can only see their own orders. User B can only see their orders. The database enforces this automatically.",[23,111,113],{"id":112},"common-vulnerabilities","Common Vulnerabilities",[28,115,117],{"id":116},"sql-injection","SQL Injection",[13,119,120],{},"SQL injection is an attack where someone puts database commands into form fields or URLs. If your app isn't protected, these commands get executed, letting attackers read, modify, or delete your database.",[13,122,123],{},"Modern frameworks and ORMs (like Prisma) protect against SQL injection automatically. If you're using raw database queries, you need to be more careful.",[13,125,126],{},"Example attack:\nInstead of typing their name in a form, an attacker types code that says \"delete all users from the database.\"",[28,128,130],{"id":129},"cross-site-scripting-xss","Cross-Site Scripting (XSS)",[13,132,133],{},"XSS is when an attacker injects malicious code (usually JavaScript) into your website that runs in other users' browsers. This can steal session tokens, redirect users to fake sites, or capture keystrokes.",[13,135,136],{},"Most modern frameworks like React escape output automatically, which prevents many XSS attacks. But if you use dangerouslySetInnerHTML or similar features, you might be at risk.",[13,138,139],{},"How it happens:\nAn attacker posts a comment containing JavaScript. When other users view that comment, the script runs in their browser.",[28,141,143],{"id":142},"cross-site-request-forgery-csrf","Cross-Site Request Forgery (CSRF)",[13,145,146],{},"CSRF tricks a logged-in user into making requests they didn't intend. If you're logged into your bank and visit a malicious website, that site might try to make your browser send a \"transfer money\" request to your bank.",[13,148,149],{},"CSRF protection usually involves special tokens that prove a request came from your own website, not somewhere else.",[13,151,152],{},"Protection:\nMost frameworks include CSRF protection. Make sure it's enabled for forms and state-changing actions.",[23,154,156],{"id":155},"web-security-basics","Web Security Basics",[28,158,160],{"id":159},"httpsssl","HTTPS/SSL",[13,162,163],{},"HTTPS encrypts the data sent between your users' browsers and your website. Without HTTPS, anyone on the same network (like a coffee shop WiFi) can see passwords, form data, and other sensitive information in plain text.",[13,165,166],{},"Today, HTTPS is basically required. Most deployment platforms provide it for free.",[13,168,169],{},"Check:\nYour website URL should start with https:// (not http://). Look for the padlock icon in the browser.",[28,171,173],{"id":172},"security-headers","Security Headers",[13,175,176],{},"Security headers are instructions your server sends to browsers telling them how to behave securely. They can prevent clickjacking, stop your site from being embedded in malicious frames, and control which scripts can run.",[13,178,179],{},"Common security headers include Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.",[13,181,182],{},"How to add them:\nIn Vercel, you add headers in vercel.json. In Netlify, use the _headers file.",[28,184,186],{"id":185},"cors-cross-origin-resource-sharing","CORS (Cross-Origin Resource Sharing)",[13,188,189],{},"CORS is a security feature that controls which websites can make requests to your backend. Without CORS restrictions, any website could make requests to your API pretending to be your app.",[13,191,192],{},"CORS errors are frustrating, but they exist to protect your users. The fix is to configure which origins (domains) are allowed to access your API.",[13,194,195],{},"What to do:\nConfigure your backend to allow requests from your frontend domain, but not from everywhere (*).",[23,197,199],{"id":198},"data-protection","Data Protection",[28,201,203],{"id":202},"encryption-at-rest","Encryption at Rest",[13,205,206],{},"Encryption at rest means your data is encrypted when it's stored. If someone steals your database files, they can't read the data without the encryption keys.",[13,208,209],{},"Most managed database services (Supabase, PlanetScale, Firebase) encrypt data at rest by default.",[13,211,212],{},"Check:\nReview your database provider's security documentation to confirm encryption is enabled.",[28,214,216],{"id":215},"encryption-in-transit","Encryption in Transit",[13,218,219],{},"Encryption in transit means data is encrypted while it travels over the network. This is what HTTPS provides for web traffic. For database connections, look for SSL/TLS connection options.",[13,221,222],{},"Example:\nWhen your app connects to Supabase, that connection should use SSL so the data can't be intercepted.",[28,224,226],{"id":225},"data-breach","Data Breach",[13,228,229],{},"A data breach is when unauthorized people access your data. This can happen through hacking, exposed credentials, misconfigured databases, or insider threats. Breaches can result in legal penalties, lost customers, and reputation damage.",[13,231,232],{},"According to IBM's 2024 report, the average cost of a data breach is $4.88 million.",[13,234,235],{},"Prevention:\nRegular security scanning, proper access controls, and following security best practices reduce breach risk.",[23,237,239],{"id":238},"quick-reference-table","Quick Reference Table",[241,242,243,259],"table",{},[244,245,246],"thead",{},[247,248,249,253,256],"tr",{},[250,251,252],"th",{},"Term",[250,254,255],{},"What It Means",[250,257,258],{},"Why You Should Care",[260,261,262,273,283,293,304,314,325,336,346],"tbody",{},[247,263,264,267,270],{},[265,266,44],"td",{},[265,268,269],{},"Secret password for services",[265,271,272],{},"Exposed keys lead to charges and data theft",[247,274,275,277,280],{},[265,276,74],{},[265,278,279],{},"Verifying who someone is",[265,281,282],{},"Prevents impersonation",[247,284,285,287,290],{},[265,286,87],{},[265,288,289],{},"What someone is allowed to do",[265,291,292],{},"Prevents unauthorized access",[247,294,295,298,301],{},[265,296,297],{},"RLS",[265,299,300],{},"Database row-level access control",[265,302,303],{},"Keeps user data private",[247,305,306,308,311],{},[265,307,117],{},[265,309,310],{},"Attack via database commands",[265,312,313],{},"Can destroy or steal all data",[247,315,316,319,322],{},[265,317,318],{},"XSS",[265,320,321],{},"Malicious scripts in your site",[265,323,324],{},"Steals user sessions and data",[247,326,327,330,333],{},[265,328,329],{},"HTTPS",[265,331,332],{},"Encrypted web traffic",[265,334,335],{},"Protects data in transit",[247,337,338,340,343],{},[265,339,173],{},[265,341,342],{},"Browser security instructions",[265,344,345],{},"Prevents various attacks",[247,347,348,351,354],{},[265,349,350],{},"CORS",[265,352,353],{},"Cross-origin request control",[265,355,356],{},"Limits who can use your API",[23,358,360],{"id":359},"what-should-you-do-next","What Should You Do Next?",[13,362,363],{},"Now that you know the terminology, here are your next steps:",[365,366,367,375,381,387],"ol",{},[368,369,370,374],"li",{},[371,372,373],"strong",{},"Run a security scan"," to find obvious issues like exposed API keys and missing HTTPS.",[368,376,377,380],{},[371,378,379],{},"Check your environment variables"," to make sure secrets aren't in your code.",[368,382,383,386],{},[371,384,385],{},"Enable RLS"," if you're using Supabase or another PostgreSQL database.",[368,388,389,392],{},[371,390,391],{},"Add security headers"," to your deployment configuration.",[13,394,395],{},"You don't need to become a security expert. You just need to cover the basics and use tools that help you find problems before attackers do.",[397,398,399,405,411,417,423],"faq-section",{},[400,401,403],"faq-item",{"question":402},"What is vibe coding?",[13,404,34],{},[400,406,408],{"question":407},"What is an API key?",[13,409,410],{},"An API key is a secret password that lets your app talk to other services like Stripe, OpenAI, or Firebase. If someone gets your API key, they can use those services as if they were you, which can result in unexpected charges or data access. API keys should never be visible in your code or accessible from a browser.",[400,412,414],{"question":413},"What does authentication mean in web security?",[13,415,416],{},"Authentication is the process of verifying who someone is. When users log in with a username and password, that's authentication. It answers the question \"Are you who you claim to be?\" This is different from authorization, which determines what an authenticated user is allowed to do.",[400,418,420],{"question":419},"Why do I need to learn security terms if I'm not technical?",[13,421,422],{},"Understanding basic security terms helps you communicate with developers, evaluate security tools, and make informed decisions about your app's safety. You don't need deep technical knowledge, but knowing what terms like \"exposed API key\" or \"SQL injection\" mean helps you recognize problems and take appropriate action.",[400,424,426],{"question":425},"Which security terms should I learn first?",[13,427,428],{},"Start with API keys, authentication, authorization, and HTTPS. These are the most common terms you'll encounter and the most immediately relevant to securing a vibe-coded app. From there, learn about RLS if you use Supabase, and security headers when you're ready to harden your deployment.",[430,431,434,438],"cta-box",{"href":432,"label":433},"/","Start Free Scan",[23,435,437],{"id":436},"ready-to-check-your-apps-security","Ready to Check Your App's Security?",[13,439,440],{},"Run a free security scan and get plain-English results you can actually understand.",[442,443,444,450,455],"related-articles",{},[445,446],"related-card",{"description":447,"href":448,"title":449},"The essential first step for securing your app","/blog/start-here-security-guide","Start Here: Find Your Security Guide",[445,451],{"description":452,"href":453,"title":454},"Why AI-generated code has security gaps","/blog/security-reality-of-vibe-coding","The Security Reality of Vibe Coding",[445,456],{"description":457,"href":458,"title":459},"What they are and why they're dangerous","/blog/exposed-api-keys-explained","Exposed API Keys Explained",{"title":461,"searchDepth":462,"depth":462,"links":463},"",2,[464,470,475,480,485,490,491,492],{"id":25,"depth":462,"text":26,"children":465},[466,468,469],{"id":30,"depth":467,"text":31},3,{"id":43,"depth":467,"text":44},{"id":56,"depth":467,"text":57},{"id":69,"depth":462,"text":70,"children":471},[472,473,474],{"id":73,"depth":467,"text":74},{"id":86,"depth":467,"text":87},{"id":99,"depth":467,"text":100},{"id":112,"depth":462,"text":113,"children":476},[477,478,479],{"id":116,"depth":467,"text":117},{"id":129,"depth":467,"text":130},{"id":142,"depth":467,"text":143},{"id":155,"depth":462,"text":156,"children":481},[482,483,484],{"id":159,"depth":467,"text":160},{"id":172,"depth":467,"text":173},{"id":185,"depth":467,"text":186},{"id":198,"depth":462,"text":199,"children":486},[487,488,489],{"id":202,"depth":467,"text":203},{"id":215,"depth":467,"text":216},{"id":225,"depth":467,"text":226},{"id":238,"depth":462,"text":239},{"id":359,"depth":462,"text":360},{"id":436,"depth":462,"text":437},"glossary","2026-01-12","Security terms explained for non-technical founders. From API keys to XSS, learn what security jargon actually means in plain English.",false,"md",[499,500,501,503],{"question":402,"answer":34},{"question":407,"answer":410},{"question":413,"answer":502},"Authentication is the process of verifying who someone is. When users log in with a username and password, that's authentication. It answers the question 'Are you who you claim to be?' This is different from authorization, which determines what an authenticated user is allowed to do.",{"question":419,"answer":504},"Understanding basic security terms helps you communicate with developers, evaluate security tools, and make informed decisions about your app's safety. You don't need deep technical knowledge, but knowing what terms like 'exposed API key' or 'SQL injection' mean helps you recognize problems and take appropriate action.","green",null,{},true,"Security terms explained for non-technical founders. From API keys to XSS, learn what security jargon actually means.","/blog/glossary/vibe-coding-security-glossary","12 min read","[object Object]","BlogPosting",{"title":5,"description":495},{"loc":510},"blog/glossary/vibe-coding-security-glossary",[],"summary_large_image","ahG-I2K4KaqreyayxbtnIug4VacHrBpv7xz3QHUdldw",1775843922406]