You described what you wanted, an AI wrote the code, and now there’s an app that does the thing. Dashboards, an internal tool, a small product. It runs. The question that brought you here is the next one: how do you put it online without it becoming a problem.
That’s a fair question to be stuck on, because it’s a different skill from the one that built the app. Tools like Lovable, Bolt, Replit, Cursor and v0 are built to get you to “it works on my screen” fast. They are not built to tell you the database is readable by anyone who asks, or that your API key is sitting in the page source for the world to copy. Those are the parts that decide whether going live is safe, and they’re exactly the parts these tools quietly skip.
What changes the moment it’s online
On your laptop, an app has an audience of one. The moment it has a public address, it has an audience of everyone, including the automated scanners that find new sites within minutes and test them for the usual mistakes. AI-built apps tend to make the same handful:
- Secrets in the open. API keys, database passwords and tokens committed straight into the code or shipped to the browser, where anyone can read them and run up your bill or reach your data.
- An open database. Permissions left at the default, so the security rules that are meant to stop one user reading another user’s records were never actually written. This is the single most common way vibe-coded apps leak.
- No real login. Admin pages and data-changing actions reachable by anyone who knows the address, because the AI built the screen and assumed someone else would add the lock.
- Old, holey packages. Dependencies pulled in at build time and never updated, carrying known vulnerabilities that are trivial to exploit.
- Costs with no ceiling. An endpoint anyone can call as often as they like, turning a usage-based bill into a nasty surprise.
None of this shows up in a demo. All of it shows up in production. The research on why AI-assisted code ships these gaps so reliably is worth reading, and we set it out with the receipts on our code cleanup page.
Tier one: review and secure deploy
The entry point is a one-off job that gets the app from “running locally” to “live and safe to leave running”.
- Review. We read the actual code and configuration and produce a written, plain-language picture of the risks: what’s exposed, what’s open, what’s urgent and what’s genuinely fine. No jargon, no scaremongering.
- Secure. We close the holes that matter. Secrets moved out of the code and into proper secret storage, database permissions tightened, logins put where they belong, dependencies brought up to date.
- Deploy. We stand it up on hosting sized to what the app does, rather than whatever the build tool defaulted to, and set up the deploy so future updates are one safe, repeatable step instead of a risky copy-paste.
You finish with an app that’s online, locked down, and yours to run, plus a short note on anything you should keep an eye on.
Tier two: we host and run it
If you’d rather not be the person responsible for keeping it up, the ongoing option folds the review and deploy into managed hosting. We host it on infrastructure we look after, apply security patches as they land, take backups, and watch it so a problem reaches us before it reaches your users. You keep ownership of the app and the accounts; we keep it healthy. Most people who go this way start with the one-off review and move across once the app is carrying real work and an outage would actually hurt.
When the review turns up something bigger
Sometimes the honest finding is that the app needs more than a tidy-up before it’s safe to launch, that the foundations won’t take real users without rework. We’ll say so plainly and show why, rather than deploy something we know will buckle. That heavier work is our code cleanup and project rescue service, and when it comes up we’ll cost the rescue against a targeted rebuild so the choice is yours, the same way we help clients weigh buy, build or integrate.
Either way, the first thing you get is a straight answer about what stands between your app and a safe launch. If you built something with AI and you’re not sure it’s ready for the open internet, get in touch and tell us what it does and where it lives now.