Anonymized · built from real scans

The state of vibe-coding.

We scan a fresh batch of public apps every day and record what we find. This is the aggregate — how many apps an AI engine can't read, how many skip basic security hygiene, how many never make their value prop clear. Anonymized, no app named, observed measurements only.

public apps measured

50%

have no JSON-LD for AI to read

50%

publish no /llms.txt

56%

miss core security headers

Get Found

18 apps · median 68/100

72% have thin server-rendered text

72%

50% have no /llms.txt

50%

50% have no JSON-LD structured data

50%

17% have weak heading structure

17%

11% have AI crawlers blocked in robots.txt

11%

6% have no Open Graph tags

0% have no clear <title>

0% have no canonical URL

Convert

17 apps · median 89/100

35% have no clear primary CTA

35%

24% have a heavy initial page

24%

24% have no social proof

24%

6% have no clear above-the-fold value prop

0% have no mobile viewport

0% have heavy signup friction

0% have an unclear headline

Ship Verified

18 apps · median 86/100

56% have missing security headers

56%

0% have an over-broad CORS policy

0% have a server secret in the client bundle

0% have no HTTPS/HSTS

0% have public source maps

0% have a public .env / .git

0% have exposed backend config

What they're built with

Detected build stack across the apps we measured — fingerprinted from real evidence (hosting, meta generators, builder scripts), never guessed.

7Next.js

2Framer

2Vite

1Lovable

of 18 measured apps · only fingerprinted stacks shown

Generated 2026-06-12 from 18 measured apps. Each percentage is the share of apps where we observed that specific issue at scan time — a measurement, not a verdict or a guarantee. Apps are discovered from public certificate-transparency logs and a curated public list; nothing here identifies an individual app.

Is your app in the majority?

Run the same three engines on your own app — free, real, no signup — and find out.

Scan your app →