The 8 most common traces AI-generated code leaves in production (and how to find them in 10 seconds)

A Berlin-based development shop has identified eight common security and quality issues consistently found in production code generated by AI coding assistants like Claude, Cursor, and v0. The most critical traces include hardcoded API keys in minified JavaScript bundles, exposed development server endpoints on live domains, and placeholder text like "I've created a modern, responsive landing page for you" left in production HTML. The team built a free scanner called Vibe Check that runs 55+ checks for these issues, including missing security headers, exposed environment files, and improperly configured session cookies.

AI coding assistants ship working code fast. But "working" and "production-ready" are two very different things. I run a small dev shop in Berlin, and over the past year we've reviewed dozens of websites built with Claude, Cursor, v0, Lovable and bolt.new. The same issues come up again and again — so consistently that you can treat them as a signature. Here are the 8 most common traces, roughly ordered by how often we see them and how much they hurt . The classic. The AI suggests const client = new OpenAI { apiKey: "sk-..." } in a React component, it works in the demo, and it ships. We've found AWS, Stripe, OpenAI, Anthropic and GitHub keys in minified production bundles. Anyone who opens DevTools owns your account. Check: search your built JS for sk- , AKIA , pk live , ghp . Vite and Next.js dev servers are not web servers. They expose HMR endpoints, source maps and sometimes your whole file tree. We regularly find @vite/client references and webpack HMR handshakes on live domains — meaning someone ran npm run dev behind a reverse proxy and called it deployed. Check: view source, look for /@vite/client or webpack-hmr . My personal favorite. Text like "I've created a modern, responsive landing page for you…" sitting in a production <main tag, or markdown code fences rendered as literal text. The AI's answer was pasted, not reviewed. Lorem ipsum, test@example.com , "John Doe", +1 555 123-4567 — or default titles like "Vite + React" and "Get started by editing app/page.tsx". Small thing, but it tells visitors and clients exactly how much review happened. No CSP, no HSTS, no X-Frame-Options, no Referrer-Policy. AI assistants almost never add security headers unless explicitly asked, because they're configured at the server/edge level the AI never sees. Check: curl -I yourdomain.com and count what's missing. .env reachable over HTTP, .git/config browsable, phpinfo pages, Spring /actuator , Prometheus /metrics open to the world. The AI scaffolds the app; nobody hardens the server. Session cookies without Secure , HttpOnly or SameSite . Works fine in testing, invisible in the UI, and a real problem the day you get XSS'd. No Impressum, no privacy policy, cookie banners without a reject button, Google Fonts loaded from Google's servers. In Germany these aren't nitpicks — they're Abmahnung material cease-and-desist letters with real costs . We got tired of checking all of this manually, so we built a free scanner that runs 55+ of these checks at once: Vibe Check https://techlogia.de/en/vibe-check — no signup, no data stored, results stream live. It covers everything above plus SEO, accessibility and performance basics. Vibe coding isn't going away, and honestly, that's fine. The tools are great. But somebody — or something — still has to review what ships. What patterns have you found in AI-generated code? I'd love to add more checks.