AI coding assistants ship working code fast. But "working" and "production-ready" are two very different things. I run a small dev shop in Berlin, and over the past year we've reviewed dozens of websites built with Claude, Cursor, v0, Lovable and bolt.new. The same issues come up again and again — so consistently that you can treat them as a signature.
Here are the 8 most common traces, roughly ordered by how often we see them (and how much they hurt).
The classic. The AI suggests const client = new OpenAI({ apiKey: "sk-..." })
in a React component, it works in the demo, and it ships. We've found AWS, Stripe, OpenAI, Anthropic and GitHub keys in minified production bundles. Anyone who opens DevTools owns your account.
Check: search your built JS for sk-
, AKIA
, pk_live_
, ghp_
.
Vite and Next.js dev servers are not web servers. They expose HMR endpoints, source maps and sometimes your whole file tree. We regularly find @vite/client
references and webpack HMR handshakes on live domains — meaning someone ran npm run dev
behind a reverse proxy and called it deployed.
Check: view source, look for /@vite/client
or webpack-hmr
.
My personal favorite. Text like "I've created a modern, responsive landing page for you…" sitting in a production <main>
tag, or markdown code fences rendered as literal text. The AI's answer was pasted, not reviewed.
Lorem ipsum, test@example.com
, "John Doe", +1 (555) 123-4567
— or default titles like "Vite + React" and "Get started by editing app/page.tsx". Small thing, but it tells visitors (and clients) exactly how much review happened.
No CSP, no HSTS, no X-Frame-Options, no Referrer-Policy. AI assistants almost never add security headers unless explicitly asked, because they're configured at the server/edge level the AI never sees.
Check: curl -I yourdomain.com
and count what's missing.
.env
reachable over HTTP, .git/config
browsable, phpinfo()
pages, Spring /actuator
, Prometheus /metrics
open to the world. The AI scaffolds the app; nobody hardens the server.
Session cookies without Secure
, HttpOnly
or SameSite
. Works fine in testing, invisible in the UI, and a real problem the day you get XSS'd.
No Impressum, no privacy policy, cookie banners without a reject button, Google Fonts loaded from Google's servers. In Germany these aren't nitpicks — they're Abmahnung material (cease-and-desist letters with real costs).
We got tired of checking all of this manually, so we built a free scanner that runs 55+ of these checks at once: Vibe Check — no signup, no data stored, results stream live. It covers everything above plus SEO, accessibility and performance basics.
Vibe coding isn't going away, and honestly, that's fine. The tools are great. But somebody — or something — still has to review what ships. What patterns have you found in AI-generated code? I'd love to add more checks.