You built something with Lovable, Bolt, Cursor, or another AI coding tool. It works, it looks good, and now you want to put it in front of real users. Before you do, run through these 12 checks covering authentication, secrets, data handling, and production readiness. Each one takes minutes to verify and could save you from a very bad day.
Go through each item. If you can confidently answer "yes, that's handled," move on. If you're not sure, that's a flag worth investigating before launch.
Authentication and Access
Who can get into your app, and what can they see once they're in? These are the most common gaps in AI-built apps.
Can someone access your app without logging in? Check if there are pages or API endpoints that work without authentication. Try opening your app's URLs in a private browser window where you're not logged in. If you can see content that should be private, anyone can.
Can users see each other's data? Try changing user IDs in URLs or API calls. If user A can see user B's information just by guessing a number in the address bar, you have a data leak that could expose every user's private information.
Is there a way to recover a lost password? Surprisingly often missing in AI-built apps. If someone forgets their password and there's no reset flow, they're locked out forever. That means lost users and support headaches from day one.
Secrets and Keys
API keys and passwords are how your app talks to other services. If they leak, someone else can run up your bill or access your data.
Are there API keys or passwords visible in your code? Check your repo for hardcoded strings that look like keys or passwords. AI tools sometimes paste credentials directly into source files instead of using environment variables. If your code is public, those keys are already compromised.
Are your API keys more powerful than they need to be? Admin keys where read-only would work. If a key only needs to read data, it shouldn't have permission to delete data. An overpowered key turns a small vulnerability into a catastrophic one.
Is your git history clean? Deleted secrets are still in old commits. Even if you removed a key from your code last week, it's still sitting in your git history where anyone with repo access can find it.
Data and Input
Your app accepts information from users. If it doesn't check what it receives, people can send it things it wasn't designed to handle.
Does your app check what users submit? Forms, file uploads, API requests, all of it. Without validation, someone can submit unexpected data that breaks your app, corrupts your database, or worse. AI tools often skip input checks entirely.
Are security decisions made on the server, not in the browser? Browser-side checks can be bypassed by anyone with basic developer tools. If your app hides an "admin" button with JavaScript but the server still accepts admin requests from anyone, the protection is an illusion.
Is sensitive data encrypted when stored? Passwords, tokens, personal information: these need to be encrypted or hashed, not stored as plain text. If your database is ever exposed, plain-text passwords mean every user account is immediately compromised.
Production Readiness
These are the finishing touches that separate a working prototype from an app that's actually safe for real users.
Are error messages safe for users to see? No stack traces, no internal paths. Detailed error messages help developers debug, but they also tell attackers exactly how your app is built and where to look for weaknesses.
Is there rate limiting on login and signup? Without it, someone can try thousands of passwords per minute. Rate limiting slows down automated attacks. Most AI tools don't add this by default, so your login page is wide open to brute-force guessing.
Are debug tools and test pages removed? Console logs, test routes, dev-only features: these are common leftovers in AI-generated code. A test route that bypasses authentication or a console log that prints user tokens can be found and exploited by anyone who opens browser developer tools.