How to make vibe-coded apps reliable

Overview

Since late 2022, when ChatGPT first came out, I’ve always been against relying on these tools. Back then, they made many mistakes and poor decisions. Don’t get me wrong though, it felt really good to see them write code and save us hours of either slamming the keyboard or zoning out while looking at code. However, after extensive use, you start to spend more hours debugging code than actually writing it. And if you’ve spent enough time writing code, you’ll understand that debugging is one of the most painful activities for a developer.

Today, in 2026, we have what’s called vibe-coding, which is, in my opinion, both one of the best and worst things to ever happen. It gives everyone access to coding and the ability to make their dream apps come true, but that also means we’ll have a lot of low-quality code and security nightmares across the internet.

The problems with vibe-coding

Vibe-coding is cool, or at least it looks cool. It has sped up everything, but it has also made everything more fragile. One of the biggest downsides of vibe-coding is that it makes developers lazy. It’s not like they were never lazy, I’m talking about the bad kind of lazy. This means they don’t really check what the AI wrote before deciding whether to adopt it. They just click a sequence of “accept” buttons and keep going. That is actually addictive. Vibe-coding can become an addiction because the amount of work you get done in a short period makes you feel invincible (I’m exaggerating a bit).

But this is too good to be true. With vibe-coding, you might finish a month’s work in a day, but you also sacrifice control, clean code, maintainability, security, and even your own understanding. You’ll most likely rely on AI for any future modifications to that code. So we can agree that dependence on these tools is not a good thing. Vibes are not real engineering, and these tools are not exactly cheap either.

How do we make vibe-coding more reliable?

At Mijane Technologies, we adopt various methodologies to ensure we produce high-quality software in short periods while keeping it maintainable and secure. In this blog post, after the previous sections, I’ll share some of those methods so you can make your vibe-coded apps more reliable.

1. The setup

This one is pretty simple. At MT, we use Claude Code as our main coding tool, considering its popularity and ease of use. Pair it with CLAUDE.md, CONTEXT.md, and REFERENCES.md (these are special markdown files used to guide Claude Code’s behavior, we’ll cover them in a different post), and it becomes very powerful.

You spin up a Claude Code instance in the left-hand terminal and another empty terminal on the right side, then you’re ready for the next step.

2. Prompting

For the sake of simplicity, I’ll assume that you (the reader) have some technical background and will understand what I’m about to say.

I’m not going to give you prompt templates that you can copy and paste to make everything magically work, it doesn’t work like that. But there are a couple of points you MUST address in your prompt:

1. Input validation against XSS and injections

Always tell your AI tool to validate input coming from the frontend, both on the client and server side, to prevent malicious payloads from entering your database or interfering with your code.

2. Information leakage

This is something I notice a lot, it’s when your API returns data that is not needed on the frontend, which can lead to exposing sensitive information.

To illustrate, here is a quick example where the API endpoint returns data it was not supposed to return:



What the AI did here is a classic beginner mistake: taking data directly from the database query, returning it to the end user, and then filtering what to display using JavaScript. That is a very bad practice and one of the most common vulnerabilities in AI-generated code.

Always make sure to tell your AI to never send raw data from the database and to only select the columns needed for the frontend.

3. Environment variables

This one is important. AI often assumes your code isn’t doing anything serious unless you tell it otherwise, so it may hardcode secrets (API keys, encryption keys, passwords) directly into the code. This is a terrible practice. Always tell your AI to create a .env.example file for you to store your application’s secrets properly.

4. Documentation

This is also a crucial step. Always tell your AI model to document what it does in markdown files. This is especially important when switching tools or if your session loses context. You should always have something like a docs/ directory with markdown files explaining the entire app.

5. Unit tests

Unit tests are nothing new, and they are still as important as ever. However, if you just tell your AI to “write tests for the app,” you probably won’t get anything useful.

Always specify what tests to write and which cases to cover. It may take more time, but it helps you stay engaged and think critically. If you don’t, the AI will likely generate tests that always pass, which is a common pattern with these tools.

Of course, I can’t cover everything, but these five points alone should take you a long way.

3. Testing the product

After you’re done coding and feeling productive, it’s time to see whether the app actually works or if you just wasted your time (and resources).

One of my favorite testing habits is using Chrome DevTools. I try to be as chaotic as possible and observe what happens. This is how I find most critical vulnerabilities, instead of reading code line by line trying to guess where bugs might be.

The goal is to be as chaotic as possible when testing your app. Imagine the app was built by someone you don’t trust, you’d try to break it in every way possible. That mindset works in your favor. Here are some things I personally try:

• Spamming buttons: To test whether rate limiting works properly.
• Injecting malicious payloads: Try anything that comes to mind in inputs (SQL injection, XSS payloads, profanity, etc.).
• Inspecting network traffic in DevTools: Check every request made to your server and verify that authentication and authorization are working properly.
• Using security tools: ZAP is a good starting point to assess your app’s security. You can also use Security Headers to check your headers.

Wrap up

In conclusion, vibe-coding is not perfect. However, our practices as developers and engineers can maximize the benefits of these tools and help us use them effectively without sacrificing our app’s security or our own understanding.