The Vibe Coding Security Glossary: 40 Terms Every Builder Should Know
From XSS to RLS, CSRF to CORS - a plain English glossary of 40 security terms every vibe coder needs to understand.
SEC-001
SEC-002
SEC-003
SEC-004
SEC-005
Quick Answer
Security scan reports are full of acronyms and jargon: XSS, CSRF, RLS, CORS, SSRF, JWT, CVE. If you build apps with AI tools and have never worked in security, these terms can be overwhelming. This glossary explains 40 essential security terms in plain English with concrete examples from AI-generated codebases. Bookmark this page - you will reference it every time you read a scan report.
Authentication and Authorization
| Term |
Plain English |
AI Code Example |
| Authentication (AuthN) |
Proving who you are. "Are you really user #42?" |
Login form that checks your email and password |
| Authorization (AuthZ) |
Checking what you are allowed to do. "Can user #42 delete this post?" |
Middleware that checks if the logged-in user owns the resource |
| JWT (JSON Web Token) |
A signed token sent with API requests to prove you are logged in. Like a digital ID badge. |
Authorization: Bearer eyJhbGci... in request headers |
| Session |
Server-side record of a logged-in user. The server remembers you between requests. |
A session ID stored in a cookie, mapped to user data on the server |
| OAuth |
A protocol that lets users log in with Google, GitHub, etc. without giving your app their password. |
"Sign in with Google" button that redirects to Google's login page |
| RBAC (Role-Based Access Control) |
Assigning permissions based on roles (admin, editor, viewer) rather than individual users. |
if (user.role === 'admin') before allowing delete operations |
| RLS (Row-Level Security) |
Database rules that filter rows based on who is asking. Users only see their own data. |
Supabase policies: auth.uid() = user_id on every table |
| MFA / 2FA |
Requiring a second proof of identity (like a phone code) in addition to a password. |
After password login, prompting for a 6-digit code from an authenticator app |
Common Vulnerabilities
| Term |
Plain English |
AI Code Example |
| XSS (Cross-Site Scripting) |
Attacker injects JavaScript into your page that runs in other users' browsers. |
Using dangerouslySetInnerHTML with user input in React |
| SQL Injection |
Attacker sends database commands through your input fields. |
db.query(`SELECT * FROM users WHERE name = '${input}'`) |
| CSRF (Cross-Site Request Forgery) |
A malicious site tricks your browser into making requests to your app while you are logged in. |
No CSRF token on forms; attacker page auto-submits a hidden form to your API |
| SSRF (Server-Side Request Forgery) |
Attacker tricks your server into making requests to internal/private URLs. |
fetch(req.body.url) - attacker sends http://169.254.169.254 to read cloud metadata |
| IDOR (Insecure Direct Object Reference) |
Changing an ID in the URL to access someone else's data. |
/api/users/42/profile - change 42 to 43 to see another user's profile |
| RCE (Remote Code Execution) |
Attacker runs arbitrary code on your server. |
Using eval(userInput) or unsanitized input in shell commands |
| CVE (Common Vulnerabilities and Exposures) |
A unique ID for a known security bug in a specific software version. |
CVE-2023-12345 means a specific bug reported in a specific package version |
| Prototype Pollution |
Attacker modifies JavaScript's built-in object prototype to change behavior globally. |
Sending {"__proto__": {"admin": true}} in a JSON body |
Web Security Headers and Protocols
| Term |
Plain English |
AI Code Example |
| CORS (Cross-Origin Resource Sharing) |
Browser rules that control which websites can call your API. |
cors({ origin: '*' }) means any website can call your API (bad) |
| CSP (Content Security Policy) |
A header that tells browsers which scripts, styles, and resources are allowed to load. |
Content-Security-Policy: script-src 'self' blocks injected scripts |
| HSTS (HTTP Strict Transport Security) |
Tells browsers to always use HTTPS, even if the user types http://. |
Strict-Transport-Security: max-age=31536000 |
| SSL/TLS |
Encryption between the browser and your server. The "S" in HTTPS. |
The padlock icon in the browser address bar |
| HTTPS |
HTTP with encryption (TLS). All production sites should use it. |
Your site URL starting with https:// instead of http:// |
| X-Frame-Options |
Prevents your site from being loaded inside an iframe on another site (prevents clickjacking). |
X-Frame-Options: DENY |
Data Protection
| Term |
Plain English |
AI Code Example |
| Encryption at Rest |
Data is encrypted when stored on disk (database, files). |
Database-level encryption or encrypted file storage |
| Encryption in Transit |
Data is encrypted while traveling over the network (HTTPS/TLS). |
All API calls use https:// |
| Hashing |
One-way transformation of data (like passwords) that cannot be reversed. |
bcrypt.hash(password, 10) before storing in database |
| Salt |
Random data added to a password before hashing to prevent rainbow table attacks. |
bcrypt includes a salt automatically; no manual step needed |
| PII (Personally Identifiable Information) |
Any data that can identify a person: name, email, phone, SSN, IP address. |
User profile data, form submissions, analytics data with IP addresses |
| GDPR |
EU regulation governing how personal data is collected, stored, and processed. |
If any EU user signs up for your app, GDPR applies to you |
Infrastructure and DevOps Security
| Term |
Plain English |
AI Code Example |
| Environment Variable |
A secret value stored outside your code, loaded at runtime. |
process.env.DATABASE_URL instead of hardcoding the connection string |
| Secret |
Any value that should never be in source code: API keys, passwords, tokens. |
Stripe secret key, database password, JWT signing secret |
| Rate Limiting |
Limiting how many requests a user/IP can make in a time period. |
Max 5 login attempts per minute per IP address |
| WAF (Web Application Firewall) |
A layer between the internet and your app that blocks known attack patterns. |
Cloudflare, AWS WAF, or Vercel's built-in protection |
| Dependency |
An npm package (or library) your app uses. Each one is a potential vulnerability vector. |
Every line in your package.json dependencies section |
| Supply Chain Attack |
Compromising a dependency that your app trusts, so malicious code runs in your app. |
A popular npm package gets hijacked and injects a crypto miner |
Security Testing Terms
| Term |
Plain English |
AI Code Example |
| Penetration Test (Pentest) |
A human security expert tries to hack your app (with permission) to find vulnerabilities. |
Hiring a pentester to attempt to access admin panels, steal data, etc. |
| SAST (Static Application Security Testing) |
Scanning your source code for vulnerabilities without running it. |
Tools like VibeDoctor, SonarQube, or Semgrep analyzing your repo |
| DAST (Dynamic Application Security Testing) |
Testing your running application by sending requests and analyzing responses. |
Lighthouse security audit, header checks, SSL validation on your live URL |
| SCA (Software Composition Analysis) |
Scanning your dependencies for known vulnerabilities (CVEs). |
npm audit, Trivy, Snyk checking your package-lock.json |
| OWASP |
Open Worldwide Application Security Project. Publishes the industry-standard Top 10 vulnerability list. |
The OWASP Top 10 is referenced by every major compliance framework |
How to Use This Glossary
- Bookmark this page. Reference it whenever you read a security scan report or encounter an unfamiliar term.
- Run a scan. VibeDoctor (vibedoctor.io) generates a report that uses many of these terms. Having this glossary open while reviewing your report makes the findings immediately actionable.
- Focus on what applies. You do not need to memorize all 40 terms today. Learn the ones that appear in your scan report first.
- Share with your team. If you work with other non-security developers, this glossary helps everyone speak the same language when discussing scan results and fixes.
FAQ
Do I need to understand all of these to build a secure app?
No. Start with authentication, authorization, XSS, SQL injection, and CORS. These five concepts cover the majority of vulnerabilities in AI-generated apps. Learn the rest as they appear in your scan reports. Security knowledge builds incrementally.
Which vulnerabilities are most common in vibe-coded apps?
In order of frequency: missing authentication (authorization bypass), SQL injection, XSS (especially via dangerouslySetInnerHTML), exposed secrets in source code, and CORS misconfiguration (origin: *). These five account for roughly 80% of findings in AI-generated codebases.
What is the difference between a vulnerability and a misconfiguration?
A vulnerability is a bug in your code that can be exploited (e.g., SQL injection). A misconfiguration is a setting that is incorrect or too permissive (e.g., CORS origin: *, debug mode enabled in production). Both can lead to breaches. Misconfigurations are usually faster to fix.
Where can I learn more about web security?
Start with OWASP's Top 10 (free). PortSwigger Web Security Academy has free hands-on labs. Mozilla's MDN Web Docs has excellent HTTP security header documentation. For AI-specific security patterns, VibeDoctor's blog covers the intersection of vibe coding and security in every article.
Scan your codebase for this issue - free
VibeDoctor checks for SEC-001, SEC-002, SEC-003, SEC-004, SEC-005 and 128 other issues across 15 diagnostic areas.
SCAN MY APP →