Quick Answer
Your AI-built app is production ready when you can answer "yes" to these 10 questions: no hardcoded secrets, all API routes authenticated, inputs validated, dependencies patched, HTTPS working, performance score above 50, error handling in place, at least one real test, monitoring set up, and a clean diagnostic scan. Most vibe-coded apps fail 4-6 of these on the first check. The good news: every failure has a fix that takes minutes, not days.
Why This Test Exists
"It works on my machine" is not the same as "it is ready for users." AI coding tools are excellent at producing functional software - apps that compile, render, and handle the happy path. But production readiness means handling everything else: bad inputs, malicious users, network failures, expired certificates, and the thousand things that happen when real people use your app in ways you did not expect.
This test takes 5 minutes. Answer each question honestly. The ones you answer "no" to are your pre-launch checklist.
The 10 Questions
1. Are there any secrets in your source code?
What to check: Search your codebase for API keys, database passwords, JWT secrets, and service credentials. Look for strings starting with sk-, pk_, ghp_, AKIA, or any variable named password, secret, token, or api_key assigned a string literal.
Pass: All secrets are in environment variables. .env is in .gitignore. No credentials in git history.
Fail: Any secret value appears in any source file or has ever been committed to git.
Fix time: 10-30 minutes. Move secrets to environment variables, add .env to .gitignore, and rotate any credential that was ever committed.
2. Do all API routes require authentication?
What to check: Review every route definition in your backend. Check if there is authentication middleware between the route path and the handler function.
Pass: Every route that reads or writes user data has auth middleware. Only health checks, login/signup endpoints, and genuinely public content are unprotected.
Fail: Any data-access route is accessible without authentication.
Fix time: 15-60 minutes depending on how many routes need middleware added.
3. Are all user inputs validated?
What to check: Look at every endpoint that accepts data from the client (POST, PUT, PATCH requests). Check if the request body, query parameters, and URL parameters are validated before use.
Pass: Every input is validated with a schema library (Zod, Joi, Yup) or manual type checking. Invalid input returns a 400 error, not a 500 crash.
Fail: Any endpoint uses req.body or req.params values directly without validation.
Fix time: 20-60 minutes. Add Zod schemas to each endpoint.
4. Are your dependencies free of known vulnerabilities?
What to check: Run npm audit in your project directory.
Pass: Zero critical or high vulnerabilities. Any remaining medium/low findings have no available fix.
Fail: Critical or high vulnerabilities with patches available.
Fix time: 5-15 minutes. Run npm audit fix for automatic patches. Manual updates for breaking changes.
5. Is HTTPS working correctly?
What to check: Visit your app's URL with https://. Check that the certificate is valid, not expired, and covers your domain. Check that HTTP redirects to HTTPS.
Pass: Valid SSL certificate, HTTP-to-HTTPS redirect works, no mixed content warnings in the browser console.
Fail: Certificate error, expired certificate, HTTP accessible without redirect, or mixed content (HTTP resources loaded on HTTPS page).
Fix time: 5-30 minutes. Most hosting platforms (Vercel, Netlify, Railway) provide free SSL automatically. Self-hosted apps need Let's Encrypt or a similar certificate.
6. Is your performance score acceptable?
What to check: Run a Lighthouse audit on your live URL (Chrome DevTools > Lighthouse tab, or use a service like VibeDoctor that includes it automatically).
Pass: Performance score above 50. Largest Contentful Paint under 4 seconds. No render-blocking resources that are easily fixable.
Fail: Performance score below 50, or LCP above 4 seconds.
Fix time: 30 minutes to several hours depending on the issues. Common quick wins: compress images, lazy-load below-the-fold content, remove unused JavaScript.
7. Does your app handle errors gracefully?
What to check: Try actions that will fail: submit a form with invalid data, navigate to a URL that does not exist, disconnect from the internet mid-action. Does the app show a helpful error message or crash silently?
Pass: Every failure shows a clear error message. No blank screens, no infinite spinners, no unhandled promise rejections in the console.
Fail: Any action results in a blank screen, an uncaught exception, or a silent failure where the user does not know what went wrong.
Fix time: 30-90 minutes. Add try/catch to async operations, add error boundaries to React apps, add 404 and 500 error pages.
8. Do you have at least one real test?
What to check: Look for test files in your project. Open them and check if they contain actual assertions (expect(), assert()) or are just empty shells.
Pass: At least one test file with real assertions that exercises your most critical feature (auth flow, payment processing, data storage).
Fail: No test files, or test files with empty bodies and no assertions.
Fix time: 30-60 minutes for one meaningful test.
9. Do you have monitoring in place?
What to check: Is there a service that will alert you if your app goes down? Will you know if your SSL certificate expires? Can you see runtime errors from real users?
Pass: Uptime monitoring active. SSL expiry alerts configured. Error tracking (Sentry, LogRocket, or equivalent) capturing runtime errors.
Fail: No monitoring of any kind. You find out your app is down when a user tells you.
Fix time: 15-30 minutes. Free uptime monitoring tools exist. VibeDoctor includes uptime monitoring and SSL alerts on paid plans.
10. Have you run a full diagnostic scan?
What to check: Have you run a comprehensive automated scan that checks security, code quality, dependencies, performance, and AI-specific patterns in one pass?
Pass: A full scan completed with zero critical findings. High findings reviewed and either fixed or accepted with understanding of the risk.
Fail: No scan has been run, or scan results have not been reviewed.
Fix time: 5 minutes to run the scan on VibeDoctor. Fix time varies by findings - critical issues typically take 10-30 minutes each.
Scoring Your Results
| Score | Verdict | What to Do |
|---|---|---|
| 10/10 | Production ready | Ship it. Set up continuous monitoring to stay ready. |
| 7-9/10 | Almost ready | Fix the gaps before going public. Most fixes take under 30 minutes. |
| 4-6/10 | Needs work | Common for first-time vibe-coded apps. Prioritize questions 1, 2, and 5 (secrets, auth, HTTPS). Then address the rest. |
| 0-3/10 | Not ready | Do not share this with real users yet. Spend 2-3 hours addressing the critical gaps before going live. |
The Most Common Score
Based on the apps scanned on VibeDoctor, the average first-time score for a vibe-coded app is 4-5 out of 10. The three most common failures are:
- No authentication on API routes (Question 2) - almost every AI-generated backend has at least one unprotected endpoint
- No input validation (Question 3) - AI tools rarely add schema validation unless explicitly asked
- No monitoring (Question 9) - monitoring is the last thing developers think about and the first thing they need when something breaks
The good news: all three are fixable in under an hour. The bad news: if you skip them, you will eventually find out the hard way.
After You Pass
Passing this test means your app meets the minimum bar for production. It does not mean you are done.
Production readiness is not a one-time check. Your dependencies will develop new vulnerabilities. Your SSL certificate will approach expiry. Your AI coding sessions will introduce new code that needs the same scrutiny as the original build.
Set up continuous scanning. On VibeDoctor's paid plans, every push to your GitHub repository triggers an automatic scan. Issues are caught within minutes of being introduced, not weeks later when a user reports a problem.
For the free tier, build the habit of running a scan after every coding session and before every deployment. Three scans a day is enough to catch problems early.
FAQ
My app scored 4/10. Should I be worried?
Not panicked, but definitely do not go live yet. A 4/10 is typical for a first scan of an AI-generated app. The issues are real but fixable. Spend 2-3 focused hours addressing the failures in priority order (secrets first, then auth, then the rest). Most apps reach 8/10 or higher after a single remediation session.
Can I skip questions that do not apply to my app?
Partially. If your app is purely static (no backend, no API routes), questions 2, 3, and 8 may not apply. Everything else applies to every web app regardless of architecture. Be honest about whether a question truly does not apply versus whether you just do not want to deal with it.
Is this test enough, or do I need a professional security audit?
For most solo founders and small teams, this test plus a full VibeDoctor scan covers the critical risks. A professional penetration test makes sense when you are handling sensitive data (financial, health, personal information) or when enterprise customers require it. For a typical SaaS or content app, these 10 questions catch the issues that actually get exploited.
How often should I re-run this test?
After any major coding session (more than a few files changed), before any launch or promotional push, and at least once a month as a maintenance check. Automated scanning with VibeDoctor handles the continuous monitoring so you only need to manually review when the score drops.