Home/
Part XV — Troubleshooting, Checklists, and Reference/46. Vibe Coding Checklists/46.5 Security checklist (prompt injection, secrets, access control)
46.5 Security checklist (prompt injection, secrets, access control)
Overview and links for this section of the guide.
On this page
Security Checklist
## Security Checklist
### Prompt Injection
- [ ] User input separated from instructions?
- [ ] User input in delimited sections (XML, markdown)?
- [ ] Dangerous patterns in user input blocked?
- [ ] Output validated before acting on it?
### Secrets
- [ ] API keys in environment variables (not code)?
- [ ] No secrets in prompts?
- [ ] No secrets in logs?
- [ ] Credential rotation policy?
### Access Control
- [ ] User can only access their own data?
- [ ] RAG respects document ACLs?
- [ ] Admin functions require elevated permissions?
- [ ] Rate limiting per user?
### Data Protection
- [ ] PII redacted before sending to model?
- [ ] Sensitive data never logged?
- [ ] Data classification enforced?
- [ ] GDPR/CCPA compliance verified?
### Attack Surface
- [ ] Can AI be tricked into revealing system prompts?
- [ ] Can AI be convinced to ignore rules?
- [ ] Can AI exfiltrate data via tools?
- [ ] Can AI be used for denial of service (expensive ops)?