Overview of the most common security issues VibeCheck detects in Next.js applications and how to prevent them.
Authentication Issues
VC-AUTH-001: Unprotected API Routes
Routes that modify data without checking user authentication.
Fix: Always verify session at the start of route handlers.
Injection Vulnerabilities
VC-INJ-001: SQL Injection
User input directly concatenated into SQL queries.
Fix: Use parameterized queries or an ORM like Prisma.
VC-INJ-002: XSS (Cross-Site Scripting)
User input rendered as HTML without sanitization.
Fix: React escapes by default. Be careful with dangerouslySetInnerHTML.
Configuration Issues
VC-CFG-001: Missing Security Headers
Application doesn't set recommended security headers.
Fix: Configure headers in next.config.js.
VC-CFG-002: Debug Mode in Production
Detailed error messages exposed in production.
Fix: Set NODE_ENV=production and use proper error handling.
Data Exposure
VC-DATA-001: Sensitive Data in Logs
Passwords, tokens, or PII written to logs.
Fix: Sanitize log output and use structured logging.
VC-DATA-002: Excessive Data in API Responses
API returns more fields than necessary, exposing internal data.
Fix: Explicitly select fields to return.
Security Hallucinations
VibeCheck specifically detects "security hallucinations" - patterns where code appears to implement security but doesn't actually provide protection:
- Auth checks that don't block unauthorized access
- Validation that logs but doesn't reject bad input
- Rate limiting that doesn't actually limit
- Encryption with hardcoded or weak keys