🥴Slop2Prod

🛡️ S2P Top 10

The most common security issues we find in vibe-coded applications, with actionable advice to fix them.

Heads Up!

This Top 10 list is currently based on common security pitfalls and best practices, generated with AI assistance. As Slop2Prod analyzes more submissions, we'll update this page with insights derived directly from the real-world 'slop' we encounter. Stay tuned for data-driven updates!

1

Exposed API Keys & Secrets

The Issue

Hardcoded API keys, database credentials, and other secrets in client-side code or committed to public repositories. This allows attackers to access your services, potentially rack up huge bills, or access private data.

Common Signs

  • API keys directly in frontend JavaScript files
  • Credentials in GitHub repositories (even in past commits)
  • Environment variables included in client bundles
  • Unprotected .env files

How to Fix It

  • Move ALL secrets to server-side code or environment variables
  • Use a .env file that's in your .gitignore
  • For frontend apps, create a backend API that proxies requests requiring secrets
  • Rotate any exposed credentials immediately
  • Consider using a vault service like AWS Secrets Manager, HashiCorp Vault, or Doppler
2

Missing Authentication & Authorization

The Issue

Routes and API endpoints that don't properly check if a user is authenticated or authorized to access resources. This can lead to sensitive data exposure or allow unauthorized actions.

Common Signs

  • API endpoints that don't verify authentication tokens
  • User data accessible by simply changing IDs in URLs
  • Admin functions accessible to regular users
  • Authentication checks on the frontend but not the backend

How to Fix It

  • Add middleware that verifies authentication for protected routes
  • Implement role-based access control (RBAC) for different user permissions
  • Always verify that a user has permission to access a specific resource
  • Use server-side sessions or JWTs with proper validation
  • Consider using an auth provider like Auth0, Firebase Auth, or Clerk
3

Insufficient Input Validation

The Issue

Accepting user input without proper validation and sanitization. This can lead to injection attacks (SQL, NoSQL, command injection), XSS, and other vulnerabilities.

Common Signs

  • Direct insertion of user input into database queries
  • Rendering user input as HTML without sanitization
  • Using eval() or similar functions with user input
  • No data type or format validation on inputs

How to Fix It

  • Validate all inputs on both client AND server side
  • Use parameterized queries for database operations
  • Sanitize HTML output with libraries like DOMPurify
  • Use schema validation libraries (Zod, Yup, Joi)
  • Implement input type checking and constraints
4

Broken CORS & Security Headers

The Issue

Misconfigured Cross-Origin Resource Sharing (CORS) policies and missing security headers. This can enable cross-site attacks and reduce overall security posture.

Common Signs

  • Overly permissive CORS settings (Access-Control-Allow-Origin: *)
  • Missing Content-Security-Policy headers
  • Missing X-Frame-Options to prevent clickjacking
  • Missing HTTP Strict Transport Security (HSTS) headers

How to Fix It

  • Configure CORS to only allow specific origins
  • Set appropriate security headers (CSP, X-Content-Type-Options, etc.)
  • Enable HSTS to enforce HTTPS
  • Use security middleware like Helmet.js for Node.js apps
  • Test your site with securityheaders.com
5

Vulnerable Dependencies

The Issue

Using outdated or vulnerable third-party libraries and dependencies. These can contain known security issues that attackers can exploit.

Common Signs

  • Old versions of packages in package.json
  • Security warnings during npm/yarn install
  • No regular updates to dependencies
  • No vulnerability scanning in CI/CD pipeline

How to Fix It

  • Regularly update dependencies with npm update or yarn upgrade
  • Run npm audit or yarn audit to check for vulnerabilities
  • Add dependency scanning to your CI/CD pipeline (Snyk, Dependabot)
  • Remove unused dependencies
  • Consider package lockfiles for consistent installations

More Common Issues

6. Missing Rate Limiting

No limits on login attempts, form submissions, or API requests, enabling brute force attacks and abuse.

7. Insecure File Uploads

Allowing dangerous file types to be uploaded without proper validation, potentially enabling server-side attacks.

8. Client-Side Only Validation

Relying solely on JavaScript for validation that can be easily bypassed by attackers.

9. Insecure Deserialization

Blindly deserializing data from untrusted sources without validation, leading to remote code execution vulnerabilities.

10. Poor Error Handling

Exposing detailed error messages and stack traces in production, revealing sensitive implementation details to attackers.

Submit Your App for Review