Around 4 months ago, I thought “vibe coding” was a bad idea. Constant interactions with LLMs were not a good thing: we need more time and space to pause and think for ourselves.

I have changed my mind.

The tools have just got so much better. Perplexity voice is now a much better assistant on mundane tasks compared with Google. And the “vibe coding” experience has fundamentally changed too. It is no longer about copying and pasting from ChatGPT and hoping for the best: one can just stay in the IDE and monitor code changes step by step.

For example, after manually simplifying and updating my landing page, I wanted to explore a feature where it can display posts from all 3 of my blogs.

The way I built the landing page and the blogs means this is not straightforward. The landing page was made with Next; the blogs with Hugo.

After explaining the situation, Claude immediately came up with a reasonable answer: read the RSS feeds from the blog and display it on the landing page.

After I approved this, Claude Code basically changed the files in the directory step-by-step to the intended result. Every change (which is highlighted to me in VS Code) made sense, and the end result worked out of the box.

There was a problem with deployment, and I then instructed Claude to (finally, belatedly) install a linter to catch all these deployment problems. Again, the linter is found and installed, and all the errors discovered and removed step by step.

For the smaller changes (e.g. on layout), it was quicker to make changes by hand than ask Claude. But even there Claude had good inputs too, e.g. advice on how to adjust the line-spacing so that the landing page reads better.

The deployment worked fine on the landing page on laptops, but not when I access it on my phone. Why?

Simply by reporting this, Claude was able to conjecture it was a CORS issue: mobile browsers apparently enforce this more rigorously. A separate API end point was created to solve the problems.

The main concern I have with this approach is security. Claude wrote the code. I can see all the changes and quickly check there is no obvious funny business. But can I be sure a security vulnerability hasn’t been introduced somewhere along the way?

At the moment, I still don’t have a full answer to this. My mental model of cybersecurity is still quite hazy: even after skimming the highly readable Bug Bounty Bootcamp, I am still at a loss as to what counts as a sensible assessment for the security of hobby projects e.g. a personal blog.

My (very rough) current intuitions are as follows:

  • There is little economic or other incentive for someone to attack the website. There are no features for user input. So the only data which are at risk are my own. And (unless there are some backdoors I am not aware of) there is no reason to think that my passwords etc would somehow be leaked on the website.

  • After realising Claude has capacity to run scripts that affect files beyond the current directory, I stopped giving permission to “run dangerously” and auto-accept edits (and looked at the logs). In the future, I will likely run agentic coding tools on a Github Codespace.

  • If no user input is accepted, arguably the attack surface itself is quite limited. An attacker will have to compromise the backend: but even then, assuming it only hosts the blogs, what would the attacker actually see?

  • A more realistic threat maybe phishing: the more information one posts online, the more ammunition (so to speak) an impersonator has to impersonate someone (e.g. to attack the “forget password” function of major websites). But that is a necessary tradeoff once anyone publishes anything online.

Still my mental model is still too hazy for comfort: will either read into this more or just stop vibe coding altogether.