Security Mindset
Never let AI handle security-critical code alone.
High-Risk Areas
🚫
Always manually review AI-generated code for these areas:
- Authentication/authorization
- Cryptography
- Secret management
- Input sanitization
- SQL queries (injection risk)
- File system access
- External API keys
Example: SQL Injection
AI might generate vulnerable code:
// ❌ AI might generate (VULNERABLE):
const query = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ You should catch and fix:
const query = `SELECT * FROM users WHERE id = $1`;
const result = await db.query(query, [userId]);Use AI to Find Vulnerabilities
Turn AI's knowledge against potential issues:
"Review this code for security vulnerabilities.
Check for: injection, XSS, CSRF, auth bypass,
data exposure, and insecure dependencies."Security Review Checklist
Before deploying any auth-related code:
- No secrets in code or logs
- Inputs are validated and sanitized
- SQL uses parameterized queries
- Passwords are hashed (bcrypt/argon2)
- Sessions expire appropriately
- CORS is configured correctly
- Rate limiting is in place
- Error messages don't leak info
The Two-Pass Review
- First pass: Does it work?
- Second pass: What could go wrong?
Ask yourself:
- What if someone sends malicious input?
- What if they're not authenticated?
- What if they're authenticated but not authorized?
- What if they manipulate the request?
- What data could be exposed in errors?When to Be Extra Careful
| Area | Concern |
|---|---|
| Login/signup | Credential handling |
| Password reset | Token security |
| File uploads | Path traversal, type checking |
| API endpoints | Authorization checks |
| Database queries | Injection |
| User input display | XSS |
| Payment processing | Everything |