I saw a Reddit thread about vibe coded sites having security issues - credentials exposed, databases vulnerable, source code visible to anyone who looks. Suddenly, I had a pit in my stomach. Did I accidentally build something unsafe without realizing it?
Then I remembered what my site actually is: markdown files that get turned into HTML. There’s no database. No user logins. No API keys. But I still wanted to make sure.
HAVE CLAUDE CHECK YOUR SITE
Before spiraling into worry, just ask Claude to take a look:
Audit this project for security issues. Check for:
- Any secrets or API keys in the code
- Anything sensitive in files that get pushed to GitHub
- Any security concerns with how the site is built
Be thorough and tell me if anything looks wrong.Claude will scan through your files and flag anything that seems concerning. For a simple static blog, it’ll probably come back clean - but it’s worth checking.
CLAUDE’S SECURITY SCANNING Claude Code has built-in security awareness and will often warn you proactively if you’re about to do something risky like committing an .env file. For a static blog it’s probably overkill, but good to know it’s watching out for you.
THE QUICK SECURITY CHECKLIST
For static sites like ours, security is mostly about not accidentally exposing things you didn’t mean to. Here’s a prompt that covers everything:
Check my project's security setup:
1. Does my .gitignore include .env files, node_modules, and anything with secrets?
2. Is my GitHub repo public or private, and should I be aware of anything either way?
3. Have I accidentally committed any secrets in my git history?
4. Are there any hardcoded API keys or passwords in my code?
Fix anything that looks wrong.Claude will check all of this and fix any issues it finds.
WHY STATIC BLOGS ARE ALREADY SECURE
Most of the security nightmares you read about online come from things like databases getting hacked, API keys getting stolen and abused, user data getting exposed, or backend vulnerabilities being exploited.
A static Astro blog has none of these attack surfaces - no database, no backend, no user data. The “source code” that people can see is just your HTML and CSS, which is how all websites work. There’s nothing secret in there to steal.
Those scary Reddit warnings about security vulnerabilities? They apply to apps with databases, user authentication, and API integrations. Not to blogs made of markdown files.
WITH THAT SAID, IF YOU’RE STILL WORRIED
Run this for extra peace of mind:
Do a full security review of this project. Pretend you're a security auditor
trying to find vulnerabilities. Check:
- The code
- The config files
- The git history
- The deployment setup
What would you flag as a concern?Claude will be thorough about it, and for a static blog the answer is usually “there’s nothing here to attack.”
IF YOU’RE BUILDING SOMETHING MORE COMPLEX
This article is about simple static sites, and for those, you’re already in good shape. But if you start adding databases, user authentication, or API integrations to your projects, security becomes a real thing you need to think about.
When you get to that point, check out the Secure Vibe Coding Whitepaper - it covers the security challenges that actually apply to more complex vibe coded projects.
Don’t worry - your static blog is secure. Now let’s do a quick sanity check before you start sharing the URL with people.