Before You Ship: 7 Things That Could Ruin Your Launch
ChatGPT built your app, but did it remember security? Check these before going live—or risk data breaches, crashes, and angry users.
You're about to launch. The app works. Features are done. Design looks great. You're ready to tweet about it and get users.
But wait.
Did ChatGPT or Claude remember to add HTTPS? Protect against cross-site attacks? Set up error tracking?
Probably not. And if you launch without checking, you're gambling with your users' data and your app's reputation.
Here are the 7 most common security issues in AI-generated apps—and how to fix them before launch day.
1 You're Using HTTP Instead of HTTPS
What this means: Every bit of data between your users and your server travels in plain text. Passwords, emails, credit cards—anyone on the same WiFi can see it all.
Why it's bad: A hacker at Starbucks can steal login credentials in seconds. Browsers show a "Not Secure" warning that scares users away. Google ranks you lower in search.
How to fix it:
- Get a free SSL certificate from Let's Encrypt (takes 5 minutes)
- If you're on Vercel, Netlify, or Railway, HTTPS is automatic
- Force all HTTP traffic to redirect to HTTPS
Test it: Go to your site. Does the URL start with https://? If not, fix it now.
2 Passwords Are Stored in Plain Text
What this means: If someone gets into your database (and hackers do, all the time), they can see every user's password. Not encrypted. Just sitting there.
Why it's bad: When users find out, they'll never trust you again. It's also illegal in many places (GDPR, CCPA). You could be fined thousands of dollars per user.
How to fix it:
- Use bcrypt, argon2, or scrypt to hash passwords before storing them
- Never, ever store passwords in plain text or with simple encryption
- If you're using Firebase Auth or Auth0, this is handled for you
3 No CSRF Protection on Forms
What this means: CSRF (Cross-Site Request Forgery) lets hackers trick your users into doing things on your site without knowing. Like changing their email, deleting their account, or sending money.
Why it's bad: A hacker sends your user a link. They click it. Suddenly their account is compromised and they blame you.
How to fix it:
- Add CSRF tokens to all forms (most frameworks have built-in support)
- For APIs, use proper authentication headers instead of cookies
- Set
SameSite=Stricton cookies
Easy check: If you're using Express, add the csurf middleware. For Django, CSRF protection is built in. For Next.js, use next-csrf.
4 API Keys in Your Frontend Code
What this means: Your secret API keys (Stripe, OpenAI, Firebase admin) are sitting in your JavaScript code where anyone can see them.
Why it's bad: Someone opens their browser's dev tools, finds your keys, and racks up a $10,000 bill on your OpenAI account. Or steals user data. Or shuts down your entire app.
How to fix it:
- Move all sensitive API calls to your backend/serverless functions
- Never put secret keys in frontend code or .env files that get bundled
- Use environment variables on your server only
- Rotate any keys that were exposed (they're already compromised)
🚨 Check GitHub Now
Did you commit your .env file? Bots scan GitHub 24/7 for exposed keys. If you accidentally pushed secrets, assume they're already stolen. Rotate them immediately.
5 No Rate Limiting on Login/Signup
What this means: Someone can try to log in 10,000 times per second to guess passwords. Or spam your signup form with bots.
Why it's bad: Hackers will brute-force user accounts. Your server crashes from spam. Your hosting bill explodes. Real users can't sign up.
How to fix it:
- Limit login attempts to 5 per minute per IP address
- Add a CAPTCHA on signup forms (Google reCAPTCHA is free)
- Lock accounts after 5 failed login attempts
- Use services like Cloudflare or Vercel's rate limiting
6 User Input Isn't Sanitized
What this means: When users type into forms, their input goes straight into your database or gets displayed on your site—without checking if it contains malicious code.
Why it's bad: XSS (Cross-Site Scripting) attacks. A hacker types <script>stealPasswords()</script> into a comment form, and now everyone who views that page gets hacked.
How to fix it:
- Escape all user input before displaying it (React does this automatically)
- Validate input on the backend: email format, max length, allowed characters
- Never use
dangerouslySetInnerHTMLwith user content - Use a library like DOMPurify to sanitize HTML if you need to allow it
7 No Security Headers
What this means: Your server isn't telling browsers how to protect your users. Things like "don't allow this site to be embedded in iframes" or "block mixed HTTP/HTTPS content."
Why it's bad: Your site is more vulnerable to clickjacking, XSS, and other attacks. You're missing easy protection that takes 2 minutes to add.
How to fix it: Add these headers to your server config:
Or use a library like helmet for Express or django-csp for Django—they add all the important headers automatically.
Want All 7 Checked Automatically?
VibeCheck scans your app for these issues and 20+ more in under 60 seconds. Know exactly what to fix before launch.
Check My App Free →One More Thing: Test Before Launch
Even if you fix all 7 issues, things can break. Here's a quick pre-launch test:
- Try to break your own app: Type weird characters into forms. Try SQL injection. Spam the signup button.
- Check browser console: No errors? Good. Seeing warnings about mixed content or insecure cookies? Fix them.
- Test on mobile: Does HTTPS work? Can users log in? Forms submit correctly?
- Run a security scan: Use VibeCheck or another scanner to catch what you missed.
The Bottom Line
AI code assistants are incredible, but they skip the boring security stuff. That's fine—as long as you catch it before launch.
Check these 7 things now:
- HTTPS everywhere
- Hashed passwords (never plain text)
- CSRF protection on forms
- No API keys in frontend code
- Rate limiting on auth endpoints
- Sanitized user input
- Security headers enabled
Fix these, and you'll avoid 95% of the security disasters that kill new apps.
Ship with confidence.