Introduction
AI code generators produce functional applications quickly, but speed should not come at the cost of security. Generated code can contain vulnerabilities just like hand-written code -- sometimes more so, because the AI optimizes for functionality over defense. Before deploying any AI-generated application to production, a security review is essential.
This guide covers the most common security risks in generated web applications and provides practical steps to address each one.
Input Validation and Sanitization
The most common vulnerability in web applications, generated or otherwise, is insufficient input validation. Every piece of data that comes from a user -- form fields, URL parameters, file uploads, API request bodies -- must be validated on the server side before it is processed or stored.
AI-generated backends sometimes validate input on the frontend (using form validation in React) but skip server-side validation. Frontend validation improves user experience; server-side validation prevents attacks. You need both. Any attacker can bypass frontend validation by sending requests directly to the API.
Check that your API endpoints validate data types, enforce length limits, reject unexpected fields, and sanitize strings that will be rendered in HTML (to prevent cross-site scripting attacks).
SQL Injection Prevention
SQL injection remains one of the most dangerous web vulnerabilities. If your backend constructs SQL queries by concatenating user input into query strings, an attacker can modify the query to access or delete data they should not have access to.
AI-generated code typically uses parameterized queries or ORM methods that prevent SQL injection by default. However, it is worth verifying. Search the generated backend code for any place where user input is concatenated directly into a SQL string. If you find any, replace them with parameterized queries immediately.
Authentication Security
Generated authentication systems usually implement the basic flow correctly (registration, login, session tokens), but several important details are worth checking:
- Password hashing: Passwords should be hashed with bcrypt, scrypt, or Argon2 -- never stored in plain text or with simple hashing algorithms like MD5 or SHA-256 alone
- Token storage: JWTs should be stored in HTTP-only cookies, not in localStorage (which is accessible to JavaScript and vulnerable to XSS attacks)
- Token expiration: Access tokens should expire within 15-60 minutes; refresh tokens should have a longer but still finite lifetime
- Rate limiting: Login endpoints should limit the number of attempts per IP address to prevent brute-force attacks
Cross-Site Scripting (XSS)
XSS vulnerabilities occur when user-provided content is rendered as HTML without sanitization. If a user can submit a comment containing <script>alert('hacked')</script> and that comment is rendered on the page without escaping, the script will execute in other users' browsers.
React provides built-in XSS protection by escaping rendered content by default. However, using dangerouslySetInnerHTML bypasses this protection. Check generated code for any use of this property and ensure the content is sanitized with a library like DOMPurify before rendering.
CORS Configuration
Cross-Origin Resource Sharing (CORS) controls which domains can make requests to your API. A permissive CORS policy (allowing all origins with *) means any website can make requests to your backend, which is a security risk for APIs that use cookie-based authentication.
Generated backends sometimes set permissive CORS headers for simplicity during development. Before deploying to production, restrict CORS to only the domains that should have access -- typically your frontend domain.
Environment Variables and Secrets
API keys, database credentials, and other secrets must never appear in client-side code. Check that the generated frontend does not contain hardcoded API keys, that server-side environment variables are not leaked to the browser, and that .env files are included in .gitignore.
This is a common oversight in generated code because the AI may include configuration values inline rather than referencing environment variables.
Security Checklist Before Deployment
- All API inputs are validated on the server side
- Database queries use parameterized statements
- Passwords are hashed with bcrypt or Argon2
- Authentication tokens are stored in HTTP-only cookies
- CORS is restricted to authorized domains
- No secrets or API keys in client-side code
- HTTPS is enforced for all connections
- Rate limiting is applied to authentication endpoints
- File uploads are validated for type and size
- User-generated content is sanitized before rendering
Conclusion
Security is not a feature you add later -- it is a requirement from the first deployment. AI-generated code provides a fast starting point, but the security review that follows is your responsibility. The vulnerabilities described in this guide are well-known, well-documented, and preventable. Taking the time to check for them before deployment protects your users and your reputation.
