Hard Rules + Pitfalls
The non-negotiables
Progress saved locally. Sign in to save it permanently.
The Non-Negotiables
These are the rules that do not bend. Every vibe-coded product should follow these without exception.
1. Never Overwrite Sacred Data
Subscriber lists, analytics events, user-generated content. These are sacred. Use append-only operations. Back up before any migration. Mark sacred keys in your spec.
All External Links: rel="noopener" target="_blank"
Every link that leaves your domain. No exceptions. Security and UX in two attributes.
Server-Side Validation on Every Form
Client-side validation is a UX feature. Server-side validation is a security feature. You need both. Never trust client input.
Compression Middleware on Every Response
Use compression() in Express. Gzip every HTML, CSS, and JS response. Free performance.
Affiliate Links Through Tracking Endpoints
Never link directly to affiliate URLs. Route them through /go/replit or similar. Track clicks. Maintain clean analytics.
The Ten Pitfalls
These are the traps that quietly kill vibe-coding projects. They are not bugs. They are structural failures that compound over time.
Spec-less Building
Starting without a spec and "seeing where the AI takes it." This produces incoherent products with no structure, no consistency, and no path to completion.
Design Afterthought
Building all the features first and "making it pretty later." By then, you have 47 different font sizes, inconsistent spacing, and no visual coherence. Define the design system first.
Dependency Bloat
Adding npm packages for things you could write in 20 lines. Every dependency is a risk: unmaintained, security vulnerabilities, breaking changes, bundle size.
Ignoring SEO Entirely
Building a beautiful site that Google cannot find because it is client-rendered with no meta tags, no structured data, and no sitemap. Module 4 fixes this.
No Error States
Happy path only. No loading states, no empty states, no error messages. The product works perfectly in demos and breaks everywhere else.
Filesystem Writes on Cloud
Writing to the local filesystem on Replit, Vercel, or any cloud platform. It works in dev. It disappears on deploy. Use Object Storage or a database.
No Rate Limiting
Exposing AI-powered endpoints without rate limiting. One bad actor can run up your API bill in minutes. Use express-rate-limit on every endpoint that costs money.
Hardcoded Secrets
Putting API keys in source code instead of environment variables. One public repo push and your keys are compromised.
No Mobile Testing
Building on a desktop and never checking mobile. More than half your traffic is mobile. Test it.
Shipping Without a Checklist
Deploying without checking meta tags, OG images, broken links, mobile layout, or accessibility. Use the Launch Checklist tool every time.
Share what you built with the community.
Finished a project using these principles? Post your build example, share a tip, or contribute a resource. Help others learn from what worked for you.
Post in Community →My Notes
Community Contributions
Sign in to see and vote on community contributions.
Have something to add to this module?
Sign in to Contribute