Skip to content
PageLens AI
All posts

Vibe coding

The internet is not localhost

Vibe coding lowers the barrier to building. It does not remove the responsibility of shipping. Here are the seven things the comments taught me — and the prompts to fix them.

Richard Moore7 min read

I posted recently about launching "vibe coded" apps safely, and the comments made me realise there's a bigger point here.

The scary bit isn't that people are building apps with AI.

That part is amazing.

The scary bit is that people are now able to ship production software before they've ever been exposed to the boring production lessons most developers learned the painful way.

And honestly, most of the dangerous stuff isn't advanced.

It's basic stuff like:

  • API keys showing up in the browser
  • no rate limiting on expensive endpoints
  • admin routes left exposed
  • no privacy policy
  • no cookie consent
  • missing security headers
  • no logging
  • logging too much
  • returning user data the frontend doesn't need
  • giant images killing load time
  • inaccessible buttons and forms
  • no thought given to what happens if someone actually uses the thing

The app "works" locally, so people assume it's ready.

But working locally and being ready for the internet are not the same thing.

A few things from the comments really stood out to me.

1. Rate limiting should be near the top of the list

If your app calls OpenAI, Stripe, Google Maps, an image API, or anything that costs money per request, you need to stop people hammering it.

Otherwise one bad actor, broken bot, or exposed endpoint can turn your side project into a surprise invoice.

Prompt to try:

"Review every API route in my app and identify which endpoints need rate limiting, abuse protection, or bot protection before launch."

2. Accessibility is not just a nice-to-have

Someone called this out and they're right.

Readable text, keyboard navigation, form labels, colour contrast, alt text, focus states — this stuff matters.

It helps real users. It helps SEO. It makes your app feel more trustworthy.

Prompt to try:

"Review my frontend for accessibility issues including keyboard navigation, screen reader support, colour contrast, missing labels, alt text, and focus states."

3. Stop pasting secrets into AI chats

This one sounds obvious, but people do it.

Don't paste live API keys, database credentials, private tokens, production .env files, customer data, or anything sensitive into an AI conversation unless you fully understand where that data is going and what your company or tool policy allows.

Prompt to try:

"Review my project and tell me where secrets should be stored, which values must never be committed, and whether any sensitive values are currently exposed."

4. Your AI coding rules are useful, but they are not magic

Cursor rules, Claude skills, project instructions, rules.md files — they're all helpful.

But don't assume they were always followed.

Context windows fill up. Agents drift. Tools make assumptions. Sometimes the AI "fixes" something by silencing the error rather than solving the problem.

So after a big change, run a separate review pass.

Prompt to try:

"Review the last set of changes as an adversary. Find three ways this could be subtly wrong, insecure, fragile, or expensive even if the app appears to work."

5. Logging is both underrated and dangerous

No logs? Good luck debugging.

Too many logs? You might be leaking emails, tokens, payment details, user data, request bodies, or internal errors.

You need useful logs, not reckless logs.

Prompt to try:

"Review my logging and error handling. Make sure I have enough logs to debug production issues, but I am not logging secrets, tokens, payment details, personal data, or sensitive request payloads."

6. Dependency checks are not optional

AI tools love installing packages.

Sometimes that's fine. Sometimes you end up with stale, unnecessary, vulnerable, or totally overkill dependencies.

Prompt to try:

"Audit my dependencies. Identify unused packages, risky packages, outdated versions, known vulnerabilities, and packages that could be replaced with simpler native code."

7. Performance still matters

A lot of vibe coded apps look great but quietly ship huge pages, massive images, too much JavaScript, slow database queries, and expensive third-party scripts.

The page loads fine on your machine.

That doesn't mean it loads fine on a cheap phone, weak signal, or older laptop.

Prompt to try:

"Review my app for performance issues across frontend, backend, database queries, image optimisation, JavaScript bundle size, third-party scripts, and slow API routes."

The big takeaway

Vibe coding lowers the barrier to building.

It does not remove the responsibility of shipping.

That doesn't mean everyone needs to become a senior engineer before launching an MVP. That would be ridiculous.

But before you put something live — especially if it has users, payments, login, personal data, AI credits, or database access — you need at least one proper sanity check.

Not because "real developers are better."

Not because AI coding is bad.

But because the internet is not localhost.

And once real users arrive, every shortcut becomes a potential support issue, security issue, legal issue, performance issue, or billing issue.

I'm still very bullish on vibe coding.

I just think the next stage is not "build faster."

It's "build faster without accidentally setting yourself on fire."

If you want a structured way to run that sanity check before launch, PageLens AI scans your live site across security, performance, accessibility, SEO, and UX — and gives you prioritised findings with fixes your AI agent can act on.

Run a scan before your users find the problems for you.

— Richard

The internet is not localhost | PageLens AI