AI coding assistants ship working code fast. But "working" and "production-ready" are two very different things. I run a small dev shop in Berlin, and over the past year we've reviewed dozens of websites built with Claude, Cursor, v0, Lovable and bolt.new. The same issues come up again and again — so consistently that you can treat them as a signature.
Here are the 8 most common traces, roughly ordered by how often we see them (and how much they hurt).
1. API keys in the client bundle
The classic. The AI suggests const client = new OpenAI({ apiKey: "sk-..." }) in a React component, it works in the demo, and it ships. We've found AWS, Stripe, OpenAI, Anthropic and GitHub keys in minified production bundles. Anyone who opens DevTools owns your account.
Check: search your built JS for sk-, AKIA, pk_live_, ghp_.
2. Dev servers in production
Vite and Next.js dev servers are not web servers. They expose HMR endpoints, source maps and sometimes your whole file tree. We regularly find @vite/client references and webpack HMR handshakes on live domains — meaning someone ran npm run dev behind a reverse proxy and called it deployed.
Check: view source, look for /@vite/client or webpack-hmr.
3. AI conversation residue
My personal favorite. Text like "I've created a modern, responsive landing page for you…" sitting in a production <main> tag, or markdown code fences rendered as literal text. The AI's answer was pasted, not reviewed.
4. Placeholder content that never got replaced
Lorem ipsum, test@example.com, "John Doe", +1 (555) 123-4567 — or default titles like "Vite + React" and "Get started by editing app/page.tsx". Small thing, but it tells visitors (and clients) exactly how much review happened.
5. Missing security headers
No CSP, no HSTS, no X-Frame-Options, no Referrer-Policy. AI assistants almost never add security headers unless explicitly asked, because they're configured at the server/edge level the AI never sees.
Check: curl -I yourdomain.com and count what's missing.
6. Exposed dotfiles and debug endpoints
.env reachable over HTTP, .git/config browsable, phpinfo() pages, Spring /actuator, Prometheus /metrics open to the world. The AI scaffolds the app; nobody hardens the server.
7. Cookies without flags
Session cookies without Secure, HttpOnly or SameSite. Works fine in testing, invisible in the UI, and a real problem the day you get XSS'd.
8. (For German/EU sites) Legal basics missing
No Impressum, no privacy policy, cookie banners without a reject button, Google Fonts loaded from Google's servers. In Germany these aren't nitpicks — they're Abmahnung material (cease-and-desist letters with real costs).
Check your own site in ~10 seconds
We got tired of checking all of this manually, so we built a free scanner that runs 55+ of these checks at once: Vibe Check — no signup, no data stored, results stream live. It covers everything above plus SEO, accessibility and performance basics.
Vibe coding isn't going away, and honestly, that's fine. The tools are great. But somebody — or something — still has to review what ships. What patterns have you found in AI-generated code? I'd love to add more checks.
Top comments (0)