{"slug": "the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find", "title": "The 8 most common traces AI-generated code leaves in production (and how to find them in 10 seconds)", "summary": "A Berlin-based development shop has identified eight common security and quality issues consistently found in production code generated by AI coding assistants like Claude, Cursor, and v0. The most critical traces include hardcoded API keys in minified JavaScript bundles, exposed development server endpoints on live domains, and placeholder text like \"I've created a modern, responsive landing page for you\" left in production HTML. The team built a free scanner called Vibe Check that runs 55+ checks for these issues, including missing security headers, exposed environment files, and improperly configured session cookies.", "body_md": "AI coding assistants ship working code fast. But \"working\" and \"production-ready\" are two very different things. I run a small dev shop in Berlin, and over the past year we've reviewed dozens of websites built with Claude, Cursor, v0, Lovable and bolt.new. The same issues come up again and again — so consistently that you can treat them as a signature.\n\nHere are the 8 most common traces, roughly ordered by how often we see them (and how much they hurt).\n\nThe classic. The AI suggests `const client = new OpenAI({ apiKey: \"sk-...\" })`\n\nin a React component, it works in the demo, and it ships. We've found AWS, Stripe, OpenAI, Anthropic and GitHub keys in minified production bundles. Anyone who opens DevTools owns your account.\n\n**Check:** search your built JS for `sk-`\n\n, `AKIA`\n\n, `pk_live_`\n\n, `ghp_`\n\n.\n\nVite and Next.js dev servers are not web servers. They expose HMR endpoints, source maps and sometimes your whole file tree. We regularly find `@vite/client`\n\nreferences and webpack HMR handshakes on live domains — meaning someone ran `npm run dev`\n\nbehind a reverse proxy and called it deployed.\n\n**Check:** view source, look for `/@vite/client`\n\nor `webpack-hmr`\n\n.\n\nMy personal favorite. Text like \"I've created a modern, responsive landing page for you…\" sitting in a production `<main>`\n\ntag, or markdown code fences rendered as literal text. The AI's answer was pasted, not reviewed.\n\nLorem ipsum, `test@example.com`\n\n, \"John Doe\", `+1 (555) 123-4567`\n\n— or default titles like \"Vite + React\" and \"Get started by editing app/page.tsx\". Small thing, but it tells visitors (and clients) exactly how much review happened.\n\nNo CSP, no HSTS, no X-Frame-Options, no Referrer-Policy. AI assistants almost never add security headers unless explicitly asked, because they're configured at the server/edge level the AI never sees.\n\n**Check:** `curl -I yourdomain.com`\n\nand count what's missing.\n\n`.env`\n\nreachable over HTTP, `.git/config`\n\nbrowsable, `phpinfo()`\n\npages, Spring `/actuator`\n\n, Prometheus `/metrics`\n\nopen to the world. The AI scaffolds the app; nobody hardens the server.\n\nSession cookies without `Secure`\n\n, `HttpOnly`\n\nor `SameSite`\n\n. Works fine in testing, invisible in the UI, and a real problem the day you get XSS'd.\n\nNo Impressum, no privacy policy, cookie banners without a reject button, Google Fonts loaded from Google's servers. In Germany these aren't nitpicks — they're Abmahnung material (cease-and-desist letters with real costs).\n\nWe got tired of checking all of this manually, so we built a free scanner that runs 55+ of these checks at once: [Vibe Check](https://techlogia.de/en/vibe-check) — no signup, no data stored, results stream live. It covers everything above plus SEO, accessibility and performance basics.\n\nVibe coding isn't going away, and honestly, that's fine. The tools are great. But somebody — or something — still has to review what ships. What patterns have you found in AI-generated code? I'd love to add more checks.", "url": "https://wpnews.pro/news/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find", "canonical_source": "https://dev.to/techlogia-lab/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find-them-in-10-seconds-1l80", "published_at": "2026-06-04 16:21:45+00:00", "updated_at": "2026-06-04 16:43:06.057348+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-safety", "generative-ai", "large-language-models"], "entities": ["OpenAI", "Claude", "Cursor", "v0", "Lovable", "bolt.new", "AWS", "Stripe"], "alternates": {"html": "https://wpnews.pro/news/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find", "markdown": "https://wpnews.pro/news/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find.md", "text": "https://wpnews.pro/news/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find.txt", "jsonld": "https://wpnews.pro/news/the-8-most-common-traces-ai-generated-code-leaves-in-production-and-how-to-find.jsonld"}}