Why Detection Matters
AI-generated code and content correlate with security problems. Sites built entirely by AI tools — without human review — tend to ship with default configurations, missing security headers, exposed debug endpoints, and placeholder content that leaks information about the tech stack.
Detection isn't about judging whether AI was used. It's about identifying patterns that indicate insufficient review. A site with Lorem Ipsum in production probably also has default admin credentials.
## Code Fingerprints
- **Framework boilerplate** — Default Next.js welcome page, Create React App landing content, Vue CLI scaffolding text still present in production
- **Console.log statements** — Debug logging left in production JavaScript bundles
- **TODO and FIXME comments** — Visible in page source, indicating incomplete implementation
- **Inline styles everywhere** — AI tools generate inline CSS instead of using design systems. A page with 50+ inline style attributes is a strong AI indicator.
- **localhost references** — `http://localhost:3000` or `127.0.0.1` URLs in production code
- **Default error messages** — "Something went wrong" or framework-default error pages with no customization
- **Default meta tags** — "Create Next App" or "Vite App" in the page title
## Content Fingerprints
- **Phrase patterns** — AI-generated text reuses specific constructions: "seamlessly integrate", "cutting-edge solution", "empowering users", "at the forefront". We detect 14 common phrase patterns.
- **Buzzword density** — Marketing jargon concentration above normal levels: "revolutionize", "transform", "game-changing" appearing multiple times on a single page
- **Paragraph uniformity** — Human writing varies naturally in paragraph length and sentence structure. AI-generated text produces suspiciously uniform blocks.
- **Placeholder content** — Lorem Ipsum, example.com, John Doe, 123 Main Street, (555) 123-4567
## Visual Fingerprints
- **AI-generated images** — Midjourney, DALL-E, and Stable Diffusion produce images with identifiable artifacts: inconsistent lighting, warped text, extra fingers, asymmetric features in human faces
- **Stock photo indicators** — Watermarks, Getty/Shutterstock metadata in image files
- **Favicon missing** — AI-built sites frequently skip the favicon, showing the browser default icon
## Trust Signal Gaps
Google's quality guidelines emphasize E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness). AI-generated sites typically lack:
- An "About" page with real people and credentials
- A "Contact" page with a physical address or real contact method
- A privacy policy (required by GDPR for any site collecting data)
- Author attribution on content — who wrote this and why should you trust them?
- Terms of service
The absence of these pages doesn't prove AI generation, but the combination of missing trust signals with other fingerprints is a strong indicator.
## Automated Detection
[ismycodesafe.com](/) runs 17 AI content detection checks as part of every scan. The checks look for phrase patterns, buzzword density, placeholder content, boilerplate detection, trust signal gaps, and visual indicators. Each finding gets a severity rating, and the combined results produce an AI Content grade from A (authentic) to F (highly likely AI-generated).
The point isn't to penalize AI usage — it's to flag sites that shipped without adequate human review. A site that scores poorly on AI content detection almost certainly has security issues too.
This article was originally published on ismycodesafe.com.
Want to check your website's security? Run a free scan
Top comments (0)