Your app looks great on the surface
AI tools build what you can see. The problems are below the surface.
Free self-assessment — 15 issues to check
My Code Health Score
I evaluate every codebase across five dimensions. Most AI-built applications score well on maintainability (the code runs) but poorly on security and reliability (it runs until someone pokes it).
Security
Authentication, authorisation, secrets, input validation
Architecture
Database design, API structure, separation of concerns
Performance
Query efficiency, caching, asset optimization
Reliability
Error handling, edge cases, failure recovery
Maintainability
Code organization, naming, complexity management
The 15 most common issues
API keys in client-side code
AI tools frequently place secret keys and database credentials in client-accessible files. Anyone viewing your page source can see them.
No input validation on API endpoints
AI-generated APIs often trust all incoming data. Without validation, attackers can inject SQL, access other users' data, or crash your server.
Business logic in API route handlers
AI tools tend to put everything in one file. When your route handler does validation, database queries, email sending, and response formatting, it becomes impossible to test or reuse.
No database migrations
AI tools often modify database schemas directly. Without migrations, you can't reproduce your database state, roll back changes, or deploy reliably.
N+1 database queries
The most common performance killer in AI-generated code. Loading a list of items, then making a separate query for each item's related data.
No database indexes on filtered columns
AI tools create tables but rarely add indexes. Without them, every query scans the entire table. Fine with 100 rows, unusable with 100,000.
No error boundaries or fallback UI
When an API call fails or a component throws, the entire page crashes with a white screen. AI tools rarely generate error handling.
Hardcoded configuration values
URLs, feature flags, and limits scattered as string literals throughout the code. Works in development, breaks when you deploy.
500+ line components
AI tools generate everything in one file because they optimise for single-prompt output. The result is unmaintainable monoliths.
No TypeScript or loose types everywhere
AI tools often use 'any' or skip types entirely. This means your editor can't catch bugs, and refactoring becomes guesswork.
No CORS configuration
AI tools build frontends and APIs separately but rarely configure CORS headers. The first deploy to separate domains breaks every API call.
No rate limiting on public endpoints
AI-generated APIs accept unlimited requests. One bot or angry user can run up your database costs or take down your app with a simple loop.
Auth redirect loops
AI tools often misconfigure auth middleware, creating infinite redirect loops between login and protected pages. The app appears completely broken.
No production error monitoring
Without error tracking, you only learn about production bugs when users complain — or leave. AI tools never set up monitoring because they only work in development.
No automated tests
AI tools build features but never write tests. The code works today, but you have no safety net. Change one thing, silently break three others.
Quick self-assessment
Check off each item that's true for your codebase. Be honest — the only person you're fooling is yourself.
0 of 15 checked
Want the full picture?
This page covers the top 15 issues. A Vibe Code Audit covers everything — security, architecture, performance, and reliability — with a written report and walkthrough call.