What belongs on a vibe coding security checklist?
Include exposed files, source maps, leaked client-side secrets, headers, CORS, cookies, unauthenticated APIs, storage exposure, authorization, tenant isolation, payment entitlements, webhook verification, dependency hygiene, and a retest step after fixes.
What should I check first before sharing a vibe-coded app?
Start with the deployed URL. If a stranger can fetch private files, source maps, secret-shaped strings, or data-bearing APIs without logging in, that is a launch blocker before deeper review even starts.
Can I use only a checklist instead of a scanner?
Use both. A checklist keeps the launch review complete, while a scanner gives repeatable evidence for the public-surface items and makes it harder to miss a reachable file, header, or endpoint.