Vibecoding Master Quiz
Ten questions spanning the whole vibecoding path — the mindset, scoping, tooling, the build loop, security, shipping, and maintenance. The security questions are the ones worth getting right before you put anything on the internet. No sign-up, instant score, and you can share how you did.
-
Q1 What is vibecoding?Why
The checking step is the method, not an optional extra. 'Never looking at the code' is the caricature — and the version that reliably produces an impressive mess.
-
Q2 What are the three moves you repeat?Why
Describe, verify, iterate — on a slice small enough to check. Describing several features at once breaks the loop, because you can't tell which part failed.
-
Q3 What should exist before your first prompt?Why
The brief is both the instruction you give the AI and the thing you measure output against. Without it the app drifts feature by feature and nothing says it's off course.
-
Q4 Why pick a 'boring', popular stack?Why
Popularity in the training data is the point. Chase the newest framework and you hit confident, invented APIs you then have to debug yourself.
-
Q5 What's the minimum setup that makes vibecoding safe rather than risky?Why
Git makes every step a checkpoint, the preview shows you what was built, tests catch breakage. Skipping version control until 'later' is how a bad generation becomes unrecoverable.
-
Q6 What's the core build rhythm?Why
A slice you can't review is a slice you'll accept on faith. Committing between them means a later failure doesn't force you to untangle several changes at once.
-
Q7 What's the single most common security mistake in AI-built apps?Why
The AI 'just makes it work' by calling the paid API from the browser with the key inline. Anyone can read it — and a variable name or minification hides nothing.
-
Q8 You've added a login screen. Is the app secure?Why
AI-built apps routinely get the login right and the permission checks wrong, so any logged-in user can read anyone's records. Auth and authz are different problems.
-
Q9 Your app validates input in the browser. What's missing?Why
Client-side validation is a UX nicety, not a defence. Never trust what comes from the browser — and use parameterised queries, not user input pasted into strings.
-
Q10 'It works when I use it.' What does that prove about security?Why
You use the app as intended; an attacker doesn't. AI reliably produces code that works in a demo and is wide open in production — and the gaps come in clusters.