Launch Checklist for AI Startups
Built with Cursor, Lovable, Bolt, or Replit? This checklist covers the security and AI visibility items that fast-shipped apps most commonly miss — and that are most damaging to skip.
Fastest way to use this checklist
Run the free scan at aiexposuretool.com/security — it covers all Critical and High security items automatically, then run the AI Exposure Score audit at aiexposuretool.com for the AI visibility items. Both scans are free and take under 30 seconds each.
Security — Critical
Check your bundled JS for sk_live_, service_role, NEXT_PUBLIC_ prefixed secrets. Any secret visible in devtools is publicly leaked.
How: Run a free security scan to detect 17 secret patterns across your JS bundles
Visit yoursite.com/.env directly. If it returns any content, your entire secrets file is public.
How: Verify manually in browser or via security scan
Supabase service_role keys bypass row-level security. Any public exposure means full database access for anyone.
How: Grep your codebase and JS bundle for 'service_role'
Stripe live secret keys (sk_live_*) must never appear in frontend code. Publishable keys (pk_live_*) are fine to expose.
How: Check bundle for sk_live_ prefix; move to server-side API route if found
Security — High
Without a CSP header, XSS attacks can inject arbitrary scripts on your pages. Missing on 78% of AI-built apps.
How: Add to next.config.js headers() — takes 15 minutes with a fix prompt
Without HSTS, repeat visitors can be downgraded to HTTP via SSL stripping attacks.
How: Add Strict-Transport-Security: max-age=31536000; includeSubDomains
Source maps (.js.map files) expose your original pre-minified code including comments and inline secrets.
How: Set productionBrowserSourceMaps: false in next.config.js
Open AI-powered API routes can be spammed to exhaust your OpenAI/Anthropic quota. Add basic rate limiting before launch.
How: Use upstash/ratelimit or a simple in-memory rate limiter on /api/* routes
Security — Medium
Access-Control-Allow-Origin: * on routes that handle user data allows any site to make cross-origin requests with a user's cookies.
How: Set CORS to specific allowed origins for any route that processes user sessions
Check /admin, /wp-admin, /dashboard (if public), /phpmyadmin — none should return 200 without auth.
How: Verify each common admin path returns 401/403 or 404
Without frame protection, your app can be embedded in iframes for clickjacking attacks.
How: Add X-Frame-Options: SAMEORIGIN or CSP frame-ancestors 'self'
An exposed .git directory at the webroot can leak your entire commit history and all secrets ever committed.
How: Check yoursite.com/.git/HEAD — should not return 200
AI Visibility
Ensure GPTBot, Claude-Web, PerplexityBot, OAI-SearchBot, and anthropic-ai are not disallowed. Many default templates block all bots.
How: Check /robots.txt and remove disallow rules for known AI crawler agents
A structured product brief for AI assistants. The highest-ROI AI visibility action you can take in under an hour.
How: Generate using AIExposureTool's free llms.txt generator or write manually following llmstxt.org spec
Gives AI assistants a machine-readable product description — name, what it does, pricing, category.
How: Add a <script type='application/ld+json'> block with SoftwareApplication schema to your root layout
Open Graph images appear when your product is shared in Slack, Discord, X, and AI interfaces. A missing or broken OG image looks unprofessional.
How: Check /api/og returns a valid 1200×630 image; verify with opengraph.xyz or similar
AI assistants parse homepage text to build their understanding of your product. Vague or jargon-heavy copy leads to wrong AI descriptions.
How: Ensure first paragraph or hero section contains a clear 1-2 sentence product description
AI assistants frequently answer pricing questions. If your pricing page requires login, AI can't tell users what you cost.
How: Ensure /pricing loads without authentication and includes actual price values
Launch Hygiene
A sitemap accelerates indexing by both search engines and AI crawlers after launch.
How: Generate sitemap.xml; submit in Google Search Console; add sitemap: entry in robots.txt
404 pages must return 404 status, not 200. 'Soft 404s' confuse crawlers and can cause pages to be deindexed or ignored.
How: Test a nonexistent URL — response code should be 404, not 200
Duplicate content (with and without trailing slash, www vs non-www) confuses search and AI crawlers about which URL is authoritative.
How: Add <link rel='canonical'> or set alternates.canonical in Next.js metadata on all key pages
Missing meta titles mean AI crawlers and search engines generate their own — often incorrectly.
How: Set export const metadata with title and description in every page.tsx
What to do right now
Run both free scans — each takes under 30 seconds and automatically checks the most expensive items to miss. Every issue comes with a copy-paste fix prompt for Claude, Cursor, ChatGPT, or Gemini.