Something changed in how developers build software. Over the past year, tools like Cursor, Claude Code, and GitHub Copilot turned a new generation of builders loose. People who previously couldn't ship a web app are now deploying full-stack applications in a weekend. Experienced developers are moving two to three times faster than before.
This is vibe coding -- you describe what you want, the AI writes the code, you iterate until it works. The feedback loop is tight. The results are real. Thousands of new apps are hitting production every week.
But there's a gap. A big one.
The security gap
AI coding assistants are great at building features. They are not great at bolting on production security after the fact. When you're done vibe coding your app, you still need to:
- Configure nginx as a reverse proxy (and hope you copy the right config from Stack Overflow)
- Set up certbot for TLS certificates, plus a cron job to renew them
- Install fail2ban and write rules you'll never test
- Add rate limiting -- maybe in your app code, maybe in nginx, maybe both
- Implement authentication middleware by hand
- Bolt on security headers (CSP, HSTS, X-Frame-Options) and hope you got them right
- Set up logging that's actually searchable
That's at least six different tools, six different configuration formats, and six different failure modes. Each one is a part-time job to maintain. And if you're a solo developer or a small team riding the vibe coding wave, you probably skip most of these steps.
We know because we did the same thing.
One binary, one config file
VibeWarden replaces that entire stack with a single Go binary. It runs as a sidecar on the same machine as your app, sitting between the internet and your application. Every request passes through VibeWarden's middleware chain before reaching your code.
Here's what getting started actually looks like:
# Install
curl -sS https://vibewarden.dev/install.sh | sh
# Generate a config file
vibew init --upstream 3000 --auth --rate-limit
# Run it
vibew devThat's it. Your app on port 3000 is now behind a reverse proxy with automatic TLS, API key authentication, and rate limiting. No nginx. No certbot cron jobs. No code changes in your app.
Everything is configured in a single vibewarden.yaml file:
upstream: http://localhost:3000
tls:
auto: true
domain: myapp.dev
auth:
type: api-key
rate_limit:
requests: 100
window: 60s
waf:
mode: blockEnable a feature by adding a few lines of YAML. Disable it by removing them. Every feature is a plugin -- TLS, auth, rate limiting, WAF, security headers, CORS, egress proxy, and more -- and disabled plugins add zero overhead.
Built for the AI-assisted workflow
Here's the insight that shaped VibeWarden's design: if your app is vibe-coded, your security setup should be too.
When your AI coding assistant hits a security error, it needs to understand what happened. Traditional log formats -- long lines of unstructured text -- are hard for LLMs to parse reliably. VibeWarden emits structured audit events with a published JSON schema. Each event includes a human-readable summary, a machine-readable payload, and a severity level.
That means your AI agent can read a VibeWarden log line, understand that a request was blocked by the WAF for a SQL injection pattern, and suggest a fix -- without you having to interpret the log yourself.
The YAML configuration is equally intentional. YAML is one of the formats LLMs handle best. When you tell your AI assistant "add rate limiting at 200 requests per minute," it can edit vibewarden.yaml directly and get it right on the first try.
We also publish llms.txt and llms-full.txt files on our website -- AI-readable summaries of what VibeWarden is and how to set it up. When your coding assistant needs to look up VibeWarden docs, it can consume these files directly instead of scraping HTML.
What's in the box
VibeWarden ships as a single binary built in Go, with Caddy embedded as the reverse proxy engine. Here's what the middleware chain does to every inbound request:
- IP filtering -- allowlist or blocklist by IP and CIDR range
- Body size limits -- global and per-path maximum request sizes
- Rate limiting (per-IP) -- token bucket, in-memory or Redis-backed
- WAF -- blocks SQL injection, XSS, and path traversal (detect or block mode)
- Authentication -- JWT/OIDC, Ory Kratos session, or API key, with user identity injected as headers
- Rate limiting (per-user) -- applied after authentication
- Secret injection -- pulls secrets from OpenBao and injects them as request headers
- Reverse proxy -- forwards the clean request to your app
- Security headers -- HSTS, CSP, X-Frame-Options on every response
- Audit logging -- structured event for every security-relevant action
On the outbound side, the egress proxy controls what external APIs your app can talk to. You configure an allowlist of domains, and VibeWarden blocks everything else. This catches server-side request forgery (SSRF) and unexpected data exfiltration.
There's also a prompt injection detection layer for LLM-powered apps, catching injection attacks before they reach your model.
Zero code changes (for ingress)
VibeWarden intercepts traffic at the network level. Your app doesn't need to import a library, add middleware, or change a single line of code. It doesn't matter if your app is written in Python, Node, Go, Ruby, or whatever your AI assistant chose for you.
The egress proxy requires pointing your app's outbound requests through VibeWarden's proxy (usually one environment variable: HTTP_PROXY). But for everything on the inbound side -- TLS, auth, rate limiting, WAF, headers, logging -- it just works.
What's next
VibeWarden is open source under the Apache 2.0 license. The core will stay free.
We're working on:
- Community -- we want VibeWarden's defaults and rules to improve based on what real deployments encounter
- VibeWarden Pro -- a hosted dashboard for teams that want fleet-wide visibility, centralized config, and managed updates
- More integrations -- broader identity provider support, additional secret backends, and observability stack options
If you're building something with AI-assisted tools and you've been putting off security, give VibeWarden a try. Three commands, five minutes, and your app is production-hardened.
curl -sS https://vibewarden.dev/install.sh | sh
vibew init --upstream 3000 --auth --rate-limit
vibew devRead the full documentation, or check out the source on GitHub.
You vibe, we warden. Security is no longer your burden.