Vibe Coding Production Checklist
The AI App Production Checklist: 15 Things to Fix Before You Go Live
Built an app with Cursor, Bolt, Lovable, or Claude? Before you put it in front of real users, run through this checklist. It covers security, hosting, performance, and everything else that separates a prototype from a production system.
Curated by Matt Perry
CTO
Vibe coding tools like Cursor, Bolt, Lovable, and Replit have made it possible for anyone to build a working app. But "working on my machine" and "ready for paying customers" are two very different things.
This checklist covers everything you need to sort out before going live. Print it, bookmark it, share it with your developer. If you can tick off all 15, your app is ready.
Security
1. Authentication is properly implemented
AI-generated auth code often has gaps. Check that you have proper password hashing (bcrypt or argon2, not MD5 or SHA-256), session management with secure cookies, account lockout after failed attempts, and password reset flows that do not leak information about which accounts exist.
If you are using a third-party auth provider like Clerk, Auth0, or Supabase Auth, make sure you have configured it correctly. Default settings are rarely production-ready.
2. API keys and secrets are not in your code
This is the most common mistake in vibe-coded apps. Search your entire codebase for any hardcoded API keys, database passwords, or secret tokens. Move them all to environment variables. Check your git history too, because if a key was ever committed, it needs to be rotated.
Use a secrets manager (AWS Secrets Manager, Azure Key Vault, or even Vercel environment variables) rather than .env files on a server.
3. Input validation exists on the server
Client-side validation is for user experience. Server-side validation is for security. Every form field, API parameter, and URL input needs to be validated on the server. AI tools often skip this or only add client-side checks.
Pay special attention to SQL injection, cross-site scripting (XSS), and file upload vulnerabilities.
4. HTTPS is enforced everywhere
Every page, every API call, every asset should be served over HTTPS. Redirect all HTTP traffic to HTTPS. Most hosting platforms handle this automatically, but verify it is actually working.
Hosting and Infrastructure
5. You have a proper hosting setup
Running your app on localhost or a free-tier hobby plan is not production hosting. You need a hosting provider that offers reliability, automatic scaling, and proper support. Vercel, Railway, Render, AWS, or Azure are all solid options depending on your stack.
Make sure you understand the costs. A surprise bill from an auto-scaling cloud provider can be painful.
6. Your database is production-grade
SQLite is fine for prototyping. For production, you need PostgreSQL, MySQL, or a managed database service. Check that you have automated backups running daily, point-in-time recovery enabled, connection pooling configured, and that your database is not publicly accessible.
7. You have a deployment pipeline
Deploying by copying files or running git push to main is not a pipeline. Set up proper CI/CD with automated tests that run before deployment, staging environment for testing, rollback capability if something breaks, and zero-downtime deployments.
GitHub Actions, Vercel, or Railway make this straightforward.
Performance and Reliability
8. Error handling actually works
AI-generated code loves the happy path. What happens when the database is down? When an API times out? When a user submits unexpected data? Add try-catch blocks around external calls, return meaningful error messages (not stack traces) to users, and set up error tracking with a tool like Sentry or LogRocket.
9. You have monitoring and alerting
You need to know when your app breaks before your users tell you. Set up uptime monitoring (UptimeRobot is free), error rate tracking, response time monitoring, and alerts that go to your phone, not just email.
10. Page load times are acceptable
Run your app through Google Lighthouse. Aim for a performance score above 80. Common issues in vibe-coded apps include unoptimised images, missing lazy loading, excessive JavaScript bundles, and no caching headers. Fix the biggest issues first. A slow app loses users fast.
Data and Privacy
11. You comply with UK GDPR
If your app collects any personal data from UK users, you need a privacy policy that explains what you collect and why, cookie consent if you use analytics or tracking, a way for users to request their data or ask for deletion, and a record of what data you store and where.
This is not optional. The ICO can fine you up to 17.5 million pounds or 4% of annual turnover.
12. You have proper data backups
Backups are not backups until you have tested restoring from them. Set up automated daily backups, store them in a different location to your app, test a restore at least once, and document the recovery process.
User Experience
13. It works on mobile
Test your app on actual phones, not just browser dev tools. Check that touch targets are large enough, forms are usable on small screens, text is readable without zooming, and nothing is cut off or overlapping. Over 60% of web traffic is mobile. If your app does not work on phones, most people will never use it.
14. Error states and empty states are handled
What does your app show when there is no data yet? When a search returns nothing? When a network request fails? These states are invisible during development because you always have test data loaded. Go through every screen and check what happens when it is empty or broken.
15. You have a custom domain and proper branding
Your app should not live on a .vercel.app or .netlify.app subdomain. Buy a proper domain, set up DNS, and make sure your app has a favicon, proper page titles, and Open Graph meta tags for social sharing.
What to do next
If you have ticked off everything on this list, your app is in good shape to go live. If you have gaps, start with security (items 1 to 4), then hosting (5 to 7), then work through the rest.
Do not try to fix everything at once. Pick the three most critical items and sort those first. A secure, well-hosted app with a few rough edges is better than a polished app with security holes.
If you want help getting your vibe-coded app production-ready, we offer a full production readiness service that covers all 15 items on this checklist. We take what you have built and make it safe, stable, and ready for real users.
Curated by Matt Perry
CTO
Vibe coding tools like Cursor, Bolt, Lovable, and Replit have made it possible for anyone to build a working app. But "working on my machine" and "ready for paying customers" are two very different things.
This checklist covers everything you need to sort out before going live. Print it, bookmark it, share it with your developer. If you can tick off all 15, your app is ready.
Security
1. Authentication is properly implemented
AI-generated auth code often has gaps. Check that you have proper password hashing (bcrypt or argon2, not MD5 or SHA-256), session management with secure cookies, account lockout after failed attempts, and password reset flows that do not leak information about which accounts exist.
If you are using a third-party auth provider like Clerk, Auth0, or Supabase Auth, make sure you have configured it correctly. Default settings are rarely production-ready.
2. API keys and secrets are not in your code
This is the most common mistake in vibe-coded apps. Search your entire codebase for any hardcoded API keys, database passwords, or secret tokens. Move them all to environment variables. Check your git history too, because if a key was ever committed, it needs to be rotated.
Use a secrets manager (AWS Secrets Manager, Azure Key Vault, or even Vercel environment variables) rather than .env files on a server.
3. Input validation exists on the server
Client-side validation is for user experience. Server-side validation is for security. Every form field, API parameter, and URL input needs to be validated on the server. AI tools often skip this or only add client-side checks.
Pay special attention to SQL injection, cross-site scripting (XSS), and file upload vulnerabilities.
4. HTTPS is enforced everywhere
Every page, every API call, every asset should be served over HTTPS. Redirect all HTTP traffic to HTTPS. Most hosting platforms handle this automatically, but verify it is actually working.
Hosting and Infrastructure
5. You have a proper hosting setup
Running your app on localhost or a free-tier hobby plan is not production hosting. You need a hosting provider that offers reliability, automatic scaling, and proper support. Vercel, Railway, Render, AWS, or Azure are all solid options depending on your stack.
Make sure you understand the costs. A surprise bill from an auto-scaling cloud provider can be painful.
6. Your database is production-grade
SQLite is fine for prototyping. For production, you need PostgreSQL, MySQL, or a managed database service. Check that you have automated backups running daily, point-in-time recovery enabled, connection pooling configured, and that your database is not publicly accessible.
7. You have a deployment pipeline
Deploying by copying files or running git push to main is not a pipeline. Set up proper CI/CD with automated tests that run before deployment, staging environment for testing, rollback capability if something breaks, and zero-downtime deployments.
GitHub Actions, Vercel, or Railway make this straightforward.
Performance and Reliability
8. Error handling actually works
AI-generated code loves the happy path. What happens when the database is down? When an API times out? When a user submits unexpected data? Add try-catch blocks around external calls, return meaningful error messages (not stack traces) to users, and set up error tracking with a tool like Sentry or LogRocket.
9. You have monitoring and alerting
You need to know when your app breaks before your users tell you. Set up uptime monitoring (UptimeRobot is free), error rate tracking, response time monitoring, and alerts that go to your phone, not just email.
10. Page load times are acceptable
Run your app through Google Lighthouse. Aim for a performance score above 80. Common issues in vibe-coded apps include unoptimised images, missing lazy loading, excessive JavaScript bundles, and no caching headers. Fix the biggest issues first. A slow app loses users fast.
Data and Privacy
11. You comply with UK GDPR
If your app collects any personal data from UK users, you need a privacy policy that explains what you collect and why, cookie consent if you use analytics or tracking, a way for users to request their data or ask for deletion, and a record of what data you store and where.
This is not optional. The ICO can fine you up to 17.5 million pounds or 4% of annual turnover.
12. You have proper data backups
Backups are not backups until you have tested restoring from them. Set up automated daily backups, store them in a different location to your app, test a restore at least once, and document the recovery process.
User Experience
13. It works on mobile
Test your app on actual phones, not just browser dev tools. Check that touch targets are large enough, forms are usable on small screens, text is readable without zooming, and nothing is cut off or overlapping. Over 60% of web traffic is mobile. If your app does not work on phones, most people will never use it.
14. Error states and empty states are handled
What does your app show when there is no data yet? When a search returns nothing? When a network request fails? These states are invisible during development because you always have test data loaded. Go through every screen and check what happens when it is empty or broken.
15. You have a custom domain and proper branding
Your app should not live on a .vercel.app or .netlify.app subdomain. Buy a proper domain, set up DNS, and make sure your app has a favicon, proper page titles, and Open Graph meta tags for social sharing.
What to do next
If you have ticked off everything on this list, your app is in good shape to go live. If you have gaps, start with security (items 1 to 4), then hosting (5 to 7), then work through the rest.
Do not try to fix everything at once. Pick the three most critical items and sort those first. A secure, well-hosted app with a few rough edges is better than a polished app with security holes.
If you want help getting your vibe-coded app production-ready, we offer a full production readiness service that covers all 15 items on this checklist. We take what you have built and make it safe, stable, and ready for real users.
Subscribe to the AI Growth Newsletter
Get weekly AI insights, tools, and success stories - straight to your inbox.
Here's what you'll get when you subscribe:
- AI for SMBs – adopt AI without big budgets or complex setup
- Future Trends – what’s coming next and how to stay ahead
- How to Automate Your Processes – save time with workflows that run 24/7
- Customer Service AI – chatbots and agents that delight customers
- Voice AI Solutions – smarter calls and seamless accessibility
- AI News – how to stay ahead of the ever changing AI world
- Local Success Stories – how AI has changed business in the UK.
No spam. Just practical AI tips for growing your business.