The vibe-coder’s pre-launch checklist (Lovable, Bolt, Replit, v0)

A short, practical checklist before you put your AI-built app in front of real users: secrets, database rules, source exposure, headers, and payments.

You built something real with AI. Before you post it on Product Hunt, Reddit, or send it to a client, run through this:

1. No secret keys in the browser

Only public keys belong in frontend code: Supabase anon, Firebase apiKey, Stripe pk_. Anything secret — Supabase service_role, Stripe sk_live_, OpenAI/Anthropic keys, AWS keys — must be server-side only.

2. Your database has rules turned on

Supabase: enable Row Level Security on every table. Firebase: lock your Security Rules (don’t leave "test mode"). The public key is fine; open rules are not.

3. Your source isn’t downloadable

Turn off production source maps, and make sure /.env and /.git aren’t served publicly.

4. Basic security headers

Add Content-Security-Policy, HSTS, X-Frame-Options, and X-Content-Type-Options at your host/CDN.

5. Payments aren’t in test mode

If you added Stripe, confirm you’re using live keys in production and test keys in dev — not mixed up.

Items 1, 3, and 4 are checkable right now, for free, from your public URL. → Scan your app

FAQ

What should I check before launching an AI-built app?
No secret keys in the browser, database rules (RLS / Firebase rules) enabled, source maps and /.env and /.git not exposed, basic security headers set, and Stripe not left in test mode.

Which Stripe key is safe in the frontend?
Only the publishable key (pk_). The secret key (sk_live_) must stay server-side.