Claude Opus 4.7, Vibecoding, and the Security Review You Should Be Running

Q: What's actually new in Claude Opus 4.7 vs Opus 4.6?

Better agentic coding, stronger software engineering on the hardest benchmarks, higher-resolution image support (up to 2576px / 3.75MP vs 1568px / 1.15MP), a new xhigh effort level, and task budgets in beta. Pricing is unchanged at $5/M input and $25/M output tokens. Breaking changes in the Messages API: extended thinking budgets, temperature, top_p, and top_k all return 400 on non-default values — adaptive thinking is the only thinking mode now.

Q: Why do I need a security review on AI-generated code?

Because the data is brutal. Studies show AI co-authored code has 2.74x more security vulnerabilities and 75% more misconfigurations than human-written code. CodeRabbit found 70% more errors overall. Around 70% of Lovable apps ship with Row Level Security disabled. The model writes code that looks correct but trusts inputs, fails open on missing env vars, and uses Math.random for secrets. If it ships to real users, it needs a review gate.

Q: How do I run a Claude Code security review?

Run /security-review in Claude Code — it's a built-in slash command on Pro, Max, and API Console plans that scans for SQL injection, XSS, auth flaws, insecure data handling, and dependency vulnerabilities. Follow up with a focused codebase audit prompt to a security-engineer subagent. Then manually reproduce any high-confidence findings with real requests before considering the issue closed. Anthropic also ships a GitHub Action version for automatic PR review.

Q: What are the most common vulnerabilities in vibecoded code?

Seven patterns keep showing up: SSRF in scrape/fetch handlers that don't validate hostnames, fail-open auth checks that allow access when an env var is missing, Math.random for tokens and secrets instead of crypto.randomBytes, stored XSS via JSON.stringify inside dangerouslySetInnerHTML, privilege escalation when 'any authenticated user' is treated as admin, service-role DB writes from public endpoints, and secrets hardcoded in source committed to git.

Q: What do Claude Desktop parallel sessions actually give me?

Multiple Claude Code sessions in one window, each with automatic Git worktree isolation so they don't step on each other. Cmd+N (macOS) or Ctrl+N (Windows) opens a new session; Ctrl+Tab cycles. You also get drag-and-drop workspace layout, side chats (⌘+;) to branch off without polluting the main thread, visual diff review, live HTML/PDF preview, GitHub PR monitoring, and Dispatch integration from your phone. Requires Claude Desktop v1.2581.0 or later.

Q: What are the breaking API changes in Claude Opus 4.7?

In the Messages API: (1) extended thinking budgets are removed — thinking: {type: 'enabled', budget_tokens: N} returns 400, use thinking: {type: 'adaptive'} instead; (2) sampling parameters temperature, top_p, and top_k return 400 on any non-default value; (3) thinking content is omitted from responses by default — set display: 'summarized' to restore it; (4) the new tokenizer produces 1x to 1.35x tokens for the same text, so per-request cost can rise up to 35%. Claude Managed Agents users are not affected.

Claude Opus 4.7 shipped on April 16, 2026, and if you vibecode for a living you already felt the difference in the first hour. Better agentic coding. Sharper vision. Longer-horizon tool use that actually holds together for 30+ steps without you resetting the session.

I run Opus 4.7 daily and I like it. But the same day it dropped, I ran a deep security review on one of my own Next.js apps and found 11 concrete vulnerabilities — 7 HIGH, 4 MEDIUM — in code I'd merged over the last quarter. Most of them were generated with AI help. All of them were the exact failure modes this article is about.

This is the article I wish I'd had open in another tab before I shipped any of that.

What's actually new in Claude Opus 4.7

The Anthropic announcement gives you the marketing framing: stronger software engineering, higher-resolution vision, better agentic reasoning. The official "What's new" doc is where the real changes live.

Here's what matters if you build with it:

The genuinely new capabilities

High-resolution image support — maximum resolution is now 2576px / 3.75MP, up from 1568px / 1.15MP. Coordinates are 1:1 with pixels, so no more scale-factor math when you ask the model to point at UI elements.

New `xhigh` effort level — the recommended setting for coding and agentic work. `high` is the minimum for anything intelligence-sensitive.

Task budgets (beta) — set the `task-budgets-2026-03-13` header and give the model a target token count for the whole agentic loop. It sees a running countdown and scopes its work to fit. Minimum 20k tokens. Useful when you want the model to self-moderate across long tool chains.

1M token context window and 128k max output tokens carry over from 4.6.

The breaking changes nobody warns you about in the tweet thread

If you have code that calls the Messages API directly, these will 400 on you:

Extended thinking budgets are gone. `thinking: {"type": "enabled", "budget_tokens": N}` returns 400. Use `{"type": "adaptive"}` instead. Adaptive thinking is off by default on 4.7 — requests with no thinking field run without it.

Sampling parameters are gone. `temperature`, `top_p`, and `top_k` return 400 on any non-default value. Remove them entirely and use prompting to steer behavior. If you relied on `temperature: 0` for "determinism," you were never getting it anyway.

Thinking content is omitted by default — reasoning blocks still appear in the stream but their `thinking` field is empty. If your product shows reasoning to users, set `"display": "summarized"` or they'll see a long blank pause.

New tokenizer — 4.7 uses roughly 1x to 1.35x as many tokens for the same text as 4.6. Per-token pricing is unchanged, but your per-request bill can go up 30%+ on text-heavy workloads.

Managed Agents users are spared — these breaking changes only hit the Messages API.

Why every vibecoder needs a security gate

The data on vibe-coded production apps is ugly and it's getting worse.

A study cited on Wikipedia's vibe coding page found AI co-authored code has 2.74x more security vulnerabilities and 75% more misconfigurations than human-written code.

CodeRabbit found 70% more errors in AI-generated code, with the errors being more serious on average.

Beesoul's data on Lovable apps shows ~70% have Row Level Security disabled in production Supabase databases.

Trend Micro put it bluntly: *"Vibecoding rewards momentum, not scrutiny."*

Checkmarx's framing in their vibe coding security writeup matches what I see in practice: *"AI can introduce insecure logic, unsafe dependencies, weak access controls, or exposed secrets at a pace that quickly outstrips manual review."* The problem isn't the model. The problem is that speed without a review gate turns every week into a potential incident.

The seven failure modes I find every time

These are the exact bug classes I keep pulling out of vibecoded codebases — including my own. If your code has any of these patterns, fix them before you ship.

1. SSRF in scrape and fetch handlers

The pattern that burns everyone:

const res = await fetch(body.url, { redirect: "follow" });

If `body.url` is user-controlled, an attacker can hit cloud metadata endpoints, internal services on the function's egress network, or localhost ports exposed during local dev. `redirect: "follow"` is a bonus — an attacker can serve a public URL that 302s to an internal one and bypass any string-based allowlist.

Fix: reject non-`http(s)` schemes, DNS-resolve the hostname, reject private/loopback/link-local ranges (10/8, 172.16/12, 192.168/16, 169.254/16, 127/8, 100.64/10), set `redirect: "manual"`, and re-validate every hop.

2. Fail-open auth from missing env vars

function isAuthorized(req) {
  if (!process.env.CRON_SECRET) return true;  // fails OPEN
  return req.headers.get("authorization") === `Bearer ${process.env.CRON_SECRET}`;
}

This is what AI writes when your prompt says "make it work locally without the secret." In prod, if the env var is ever unset — a missed preview config, a rotation window, a new deploy — every anonymous caller becomes authorized.

Fix: fail closed. `if (!secret) return false;` with no exceptions.

3. `Math.random()` for anything that needs to be unguessable

const token = "tok_" + Array.from({length: 32}, () => chars[Math.floor(Math.random() * 36)]).join("");

V8's `Math.random()` is xorshift128+. Its internal state can be recovered from a handful of outputs using off-the-shelf tools. One leaked token → every token from the same Node process is predictable.

Fix: `crypto.randomBytes(24).toString("base64url")`. Always.

4. Stored XSS via `dangerouslySetInnerHTML` + `JSON.stringify`

tsx

<script type="application/ld+json"
  dangerouslySetInnerHTML={{__html: JSON.stringify(schema)}} />

`JSON.stringify` does not escape `</script>`. If any field in `schema` comes from AI-generated content (blog titles, descriptions, FAQ answers), a prompt-injected value in the rendered payload will execute in every reader's browser — including the admin's.

Fix: replace `<` with `\u003c` in the output: `JSON.stringify(schema).replace(/</g, "\\u003c")`. Centralize in a helper so you can't forget.

5. "Any authenticated user is an admin"

async function isAdmin(token) {
  const { data } = await supabase.auth.getUser(token);
  return !!data.user;   // anyone who signed up
}

If your Supabase project has public email signup enabled (default), this gives every stranger full admin access the moment they confirm their email.

Fix: check an explicit allowlist or role claim. `ADMIN_EMAILS` env var, `role: "admin"` in the JWT, or a membership table. Never just "valid session."

6. Service-role DB writes from unauthenticated routes

export async function POST(req) {
  const { slug } = await req.json();
  await getSupabaseAdmin()
    .from("posts").update({ view_count: 1 }).eq("slug", slug);
}

The service-role client bypasses RLS. An endpoint like this lets anyone rewrite any field for any row. The view-count example is benign — the template isn't.

Fix: use the anon client for public reads (let RLS govern), and reserve the admin client for authenticated, scoped writes.

7. Hardcoded secrets in source

// DON'T: this is what AI-generated code often looks like
const CONTENT_API_KEY = "<REDACTED_REAL_LOOKING_KEY>";

// DO: always through env
const CONTENT_API_KEY = process.env.CONTENT_API_KEY ?? "";

AI pastes a working-looking value from memory or from a doc it read during research. You commit, you push, and now the key lives forever in git history. Common prefixes to grep for before every commit: `sk_`, `pk_`, `ghp_`, `sbp_`, `AKIA`, any custom `*_*_` shape your own system issues.

Fix: every secret through `process.env.*`. Treat finding a hardcoded secret as a shipping blocker — and rotate it immediately, don't just delete it. Git history is forever.

How to run a two-pass security review

One prompt isn't enough. Here's the workflow that actually catches things.

Pass 1: `/security-review` in Claude Code

If you're on a Claude Pro, Max, or API Console plan, you already have the built-in `/security-review` slash command. Open Claude Code in your repo, type `/security-review`, and it runs a broad scan against a hardened prompt that checks for SQL injection, XSS, auth/authz flaws, insecure data handling, and dependency vulnerabilities.

There's also a GitHub Action version that runs on every pull request and leaves inline comments. If you have production repos that aren't behind this yet, set it up today.

Pass 2: a focused codebase audit prompt

The built-in command is a wide net. For anything that ships to real users, follow it with a focused prompt against a security-engineer subagent. My template:

Prompt — Copy & Paste

*Read every API route under `src/app/api/**/route.ts`. For each: what auth is required, what user input flows to the database, fetch calls, file I/O, or subprocesses, are there IDOR or mass-assignment paths, any unauthenticated write endpoints. Then grep for `dangerouslySetInnerHTML`, `eval`, `Function(`, `exec(`, `spawn(`, `child_process`, and raw `fetch(` with user input. List all database tables and their access-control state. Only report findings with a concrete attack path and ≥8/10 confidence.*

Then validate each finding in a parallel subagent before acting. False positives erode trust. Confidence below 8/10 doesn't ship to the user as a finding.

Pass 3: manual verification of the risky paths

Reproduce every high-confidence finding with a real request. Create a rogue account and test the auth bypass. Send the SSRF payload against a non-public host and watch it get blocked. Rotate any exposed keys before you close the loop.

This is the step most vibecoders skip. It's also the only one that proves the fix works.

Claude Desktop parallel sessions: why the new layout is worth learning

The redesigned Claude Code Desktop (the Code tab inside Claude Desktop) is more than a coat of paint. The headline feature is parallel sessions with automatic Git worktree isolation — you run multiple Claude sessions side by side in one window, each on its own branch, without stepping on each other.

What's actually in there:

New session: `Cmd+N` on macOS, `Ctrl+N` on Windows. Cycle through open sessions with `Ctrl+Tab` / `Ctrl+Shift+Tab`.

Drag-and-drop workspace — arrange the terminal, file editor, preview pane, diff viewer, and chat as a grid that matches your workflow. Works in both local and remote environments.

Side chats (`⌘+;`) — ask a clarifying question without polluting the main task's history. This alone changed how I work.

Visual diff review with inline comments.

Live app preview — dev server, HTML files, PDFs render inside the app.

GitHub PR monitoring with auto-fix, auto-merge, and auto-archive options.

Dispatch integration — kick off a session from your phone, continue on desktop.

Computer use on macOS and Windows for the tasks that need a real browser.

Requires Claude Desktop v1.2581.0 or later — check `Claude → Check for Updates` if you haven't seen the new layout.

The setup I actually use

One session per concern is the unlock:

Session 1 — Architecture & planning. Higher reasoning effort, no file edits, plan-mode permission. This is where I think out loud and get pushback.

Session 2 — Implementation. `xhigh` effort, auto-accept edits, scoped to the feature branch.

Session 3 — Security review. Opens after the implementation session makes changes. Runs `/security-review` and the focused audit prompt.

Side chat for every "wait, what does this library even do" question so I don't derail any of the above.

Pair that with Claude Code CLI in a real terminal for fast repo edits when I'd rather not leave the keyboard, and you have a setup that actually scales past toy projects.

The takeaway

Opus 4.7 makes vibecoding feel effortless. That's the trap. The better the first draft looks, the less likely you are to read it like an attacker would.

Three rules:

Ship faster, review harder. Every PR touching auth, inputs, network, storage, or rendering gets a security pass. No exceptions.

Two passes, not one. `/security-review` catches the obvious. A focused audit prompt with an independent subagent catches the rest. Manual verification proves the fix.

Use the new Desktop layout. Separate sessions for planning, implementation, and review. Side chats instead of context bleed. Git worktree isolation instead of branch juggling.

If you're about to ship something Claude wrote for you this week, run `/security-review` before you merge. If it flags anything in those seven categories above, treat it as a shipping-blocker until you've reproduced the fix with a real request.

Production mistakes are expensive. Security reviews are cheap. Vibe responsibly.

FAQ

What's actually new in Claude Opus 4.7 vs Opus 4.6?+

Better agentic coding, stronger software engineering on the hardest benchmarks, higher-resolution image support (up to 2576px / 3.75MP vs 1568px / 1.15MP), a new xhigh effort level, and task budgets in beta. Pricing is unchanged at $5/M input and $25/M output tokens. Breaking changes in the Messages API: extended thinking budgets, temperature, top_p, and top_k all return 400 on non-default values — adaptive thinking is the only thinking mode now.

Why do I need a security review on AI-generated code?+

Because the data is brutal. Studies show AI co-authored code has 2.74x more security vulnerabilities and 75% more misconfigurations than human-written code. CodeRabbit found 70% more errors overall. Around 70% of Lovable apps ship with Row Level Security disabled. The model writes code that looks correct but trusts inputs, fails open on missing env vars, and uses Math.random for secrets. If it ships to real users, it needs a review gate.

How do I run a Claude Code security review?+

Run /security-review in Claude Code — it's a built-in slash command on Pro, Max, and API Console plans that scans for SQL injection, XSS, auth flaws, insecure data handling, and dependency vulnerabilities. Follow up with a focused codebase audit prompt to a security-engineer subagent. Then manually reproduce any high-confidence findings with real requests before considering the issue closed. Anthropic also ships a GitHub Action version for automatic PR review.

What are the most common vulnerabilities in vibecoded code?+

Seven patterns keep showing up: SSRF in scrape/fetch handlers that don't validate hostnames, fail-open auth checks that allow access when an env var is missing, Math.random for tokens and secrets instead of crypto.randomBytes, stored XSS via JSON.stringify inside dangerouslySetInnerHTML, privilege escalation when 'any authenticated user' is treated as admin, service-role DB writes from public endpoints, and secrets hardcoded in source committed to git.

What do Claude Desktop parallel sessions actually give me?+

Multiple Claude Code sessions in one window, each with automatic Git worktree isolation so they don't step on each other. Cmd+N (macOS) or Ctrl+N (Windows) opens a new session; Ctrl+Tab cycles. You also get drag-and-drop workspace layout, side chats (⌘+;) to branch off without polluting the main thread, visual diff review, live HTML/PDF preview, GitHub PR monitoring, and Dispatch integration from your phone. Requires Claude Desktop v1.2581.0 or later.

What are the breaking API changes in Claude Opus 4.7?+

In the Messages API: (1) extended thinking budgets are removed — thinking: {type: 'enabled', budget_tokens: N} returns 400, use thinking: {type: 'adaptive'} instead; (2) sampling parameters temperature, top_p, and top_k return 400 on any non-default value; (3) thinking content is omitted from responses by default — set display: 'summarized' to restore it; (4) the new tokenizer produces 1x to 1.35x tokens for the same text, so per-request cost can rise up to 35%. Claude Managed Agents users are not affected.

✻

Back to home

Claude Opus 4.7, Vibecoding, and the Security Review You Should Be Running

What's actually new in Claude Opus 4.7

The genuinely new capabilities

The breaking changes nobody warns you about in the tweet thread

Why every vibecoder needs a security gate

The seven failure modes I find every time

1. SSRF in scrape and fetch handlers

2. Fail-open auth from missing env vars

3. `Math.random()` for anything that needs to be unguessable

4. Stored XSS via `dangerouslySetInnerHTML` + `JSON.stringify`

5. "Any authenticated user is an admin"

6. Service-role DB writes from unauthenticated routes

7. Hardcoded secrets in source

How to run a two-pass security review

Pass 1: `/security-review` in Claude Code

Pass 2: a focused codebase audit prompt

Pass 3: manual verification of the risky paths

Claude Desktop parallel sessions: why the new layout is worth learning

The setup I actually use

The takeaway

FAQ

Recommended for you

How I Built My MCP CMS With Agent Flows

Build MCP Server with TypeScript: My Practical Guide

Search Console FAQ Schema: Build a PAA Feature Fast