168 checks across 16 categories

The pre-launch checklist
your AI assistant won't write

Auth guards, security headers, AI key exposure, payment webhooks, mobile viewports — 168 things to verify before your app goes live. All automated. Takes 3 minutes.

Run all 168 checks instantly →

No account required. Paste your URL and go.

Why manual checklists fail

Manual checklists get skipped under launch pressure. You copy one from a Twitter thread, it covers 20% of what you actually need, and the night before launch you are staring at a deploy button with seventeen items unchecked.

They go stale fast. A checklist from 2022 does not know about Supabase RLS defaults, NEXT_PUBLIC_ variable exposure, or AI endpoint rate limiting. The failure modes from AI-assisted development did not exist two years ago.

They require expertise to execute. "Check your CSP headers" is not actionable if you do not know what a CSP header is, what a secure policy looks like, or how to test it. A good checklist tells you not just what to check but whether you pass or fail.

VibeCheck automates the entire list. Paste your staging URL. Get a pass/fail on 168 checks in 3 minutes. Every failure includes a specific fix prompt you can paste into your AI assistant to resolve it.

What to check before launch

16 categories. Every check runs automatically — no manual effort required.

🔐

Authentication

  • ·Login redirect loop after OAuth — users stuck, never reach the app
  • ·Expired JWT shows blank screen instead of redirect to login
  • ·Admin route accessible without server-side auth check
💳

Payments

  • ·Stripe webhook has no signature verification — replay attacks possible
  • ·Payment success fires without server confirmation
  • ·Subscription cancellation still allows access to paid features
🗄️

Database

  • ·Supabase RLS disabled — all rows readable by any authenticated user
  • ·List endpoints return unbounded results — no pagination
  • ·User-supplied input passed to queries without validation

API

  • ·No rate limiting on public API endpoints
  • ·CORS wildcard (*) allows any origin to read your API
  • ·API errors leak stack traces and internal details to clients
🖥️

Frontend

  • ·Form submits without visible loading state — users click twice
  • ·No error boundary — one unhandled error crashes the whole page
  • ·Input fields missing accessible labels
📱

Mobile

  • ·Viewport meta tag missing — page renders at desktop width on phones
  • ·Touch targets smaller than 44×44px — hard to tap on mobile
  • ·Horizontal scroll on small screens breaks layout
🚀

Performance

  • ·Uncompressed images over 500KB slowing LCP
  • ·No caching headers on static assets
  • ·JavaScript bundle over 1MB — slow first load on mobile networks
🛡️

Security

  • ·Content-Security-Policy header missing — XSS attacks possible
  • ·HTTP version of the site does not redirect to HTTPS
  • ·X-Frame-Options missing — site embeddable in iframes for clickjacking
📧

Email

  • ·SPF and DKIM records not configured — emails land in spam
  • ·Transactional emails have no unsubscribe link
  • ·Email confirmation flow broken — new users never verified
🤖

AI Safety

  • ·OpenAI or Anthropic API key found in client-side JavaScript bundle
  • ·AI endpoint has no rate limiting — single user can drain monthly budget
  • ·Direct calls to AI provider from the browser instead of a proxy
🔍

SEO Basics

  • ·Page title missing or generic ("Untitled" or "My App")
  • ·Meta description absent — search results show random page text
  • ·OG image missing — links shared on Slack or Twitter show no preview
⚖️

Legal

  • ·No privacy policy — required in most jurisdictions
  • ·Cookie consent banner absent for apps using analytics or tracking
  • ·No terms of service linked from sign-up flow
📝

Content

  • ·Placeholder text like "Lorem ipsum" still present on pages
  • ·Favicon is the default browser icon — looks unfinished in tabs
  • ·Custom 404 page missing — Next.js default error page shows instead
🏭

Production Readiness

  • ·App running in development mode (Next.js dev server) in production
  • ·Source maps exposed publicly — full source code readable by anyone
  • ·Debug routes like /api/debug or /admin/test accessible
📊

Observability

  • ·No error monitoring (Sentry, Datadog) — you learn about crashes from users
  • ·No analytics — you have no idea if anyone is visiting or converting
  • ·No /health endpoint for uptime monitoring
🚀

Launch Readiness

  • ·No primary CTA visible above the fold without scrolling
  • ·Hero section uses filler copy that does not explain what the product does
  • ·No social proof (testimonials, user count, launch badge) on homepage

How VibeCheck automates this

01

Paste your URL

Enter your staging or preview deployment URL. No account required, no setup, no configuration. Works with any publicly accessible URL.

02

Run 168 checks

VibeCheck visits your URL with a headless browser and runs all 168 checks automatically — auth, security, performance, mobile, SEO, legal, and more.

03

Get a prioritized list

Every result is sorted by severity. CRITICAL issues are shown first. Each failure includes a specific fix prompt to paste into your AI assistant.

Start your audit →

FAQ

How long does it take to run all 168 checks?

About 3–5 minutes. VibeCheck runs checks in parallel using a headless browser — full page loads, mobile viewport simulations, performance measurements, and security header scans all happen in a single automated pass.

Is VibeCheck free?

Yes. The web app allows up to 10 free audits per day with no account required. The GitHub Action is also free to use in your CI pipeline.

Does it work for Next.js and Vercel apps?

Yes — VibeCheck detects your stack and runs stack-specific checks. It catches Next.js-specific issues like NEXT_PUBLIC_ variable exposure, missing noindex on preview deployments, and output: export misconfigurations.

What if my app is behind a login?

You can provide test credentials to run a second authenticated pass. VibeCheck logs in with a headless browser and audits the authenticated experience — checking protected routes, dashboard layouts, and gated flows. Credentials are used once per run and never stored.

How is this different from running Lighthouse?

Lighthouse measures performance — LCP, CLS, bundle size. VibeCheck audits launch readiness — auth security, AI key exposure, Stripe webhook verification, Supabase RLS policies, legal compliance, and 150+ other checks Lighthouse doesn't touch.

Stop copying checklists from Twitter threads.

Run 168 automated checks on your app in 3 minutes. Free, no account required.

Run the checklist →Browse all 168 checks