VibeCoding Experiment

We decided to run an interesting experiment — to see if artificial intelligence could independently, 100%, develop a website from the initial idea to the finished product.

Preparation

We created a detailed technical specification that included everything we needed:

• The structure and appearance of the future landing page.

• Security requirements.

• Primary tech stack — TypeScript.

• Optimization and fast page loading.

• Use of a provided source code for a complex graphical background effect.

We gave the AI a short briefing for each point, described exactly what needed to be implemented, and then simply observed the process.

AI Models Used

For the experiment, we relied on two advanced AI models:

• ChatGPT 5

• Claude Sonnet 4

Both were tasked with handling the entire development process without any direct coding from our side.

Workflow

The AI wrote all the site’s code on its own. We only intervened during the process by making a few corrections via prompts — for example, clarifying certain points or asking to adjust specific design elements.

Once the project was completed, we moved on to the main stage — security testing.

Security Test Results

The scanner revealed several issues that could potentially be exploited by attackers:

Unsafe Content-Security-Policy headers

• Unsafe directives were used: 'unsafe-eval', 'unsafe-inline', as well as an overly broad object-src.

• Under certain conditions, this could allow arbitrary JavaScript code execution within the site’s context.

• Recommendation: Remove unsafe values, and use nonce or hash for script inclusion.

Presence of robots.txt with potentially sensitive paths

• While robots.txt is not inherently a vulnerability, it can point to private sections of a website.

• Recommendation: Avoid using it as a protection mechanism and do not list confidential areas in it.

Exposure of server software and technology information

• The site revealed platform and technology details in headers and code (Vercel, Vite, Google Fonts, Lucide, etc.).

• This could help an attacker craft targeted attacks against specific software versions.

• Recommendation: Hide such information in production environments.

Fixing Issues with AI

After receiving the report, we sent all this information back to the AI models with the task of fixing the vulnerabilities. The AI made changes:

• Partially closed gaps in Content-Security-Policy.

• Optimized header configuration.

• Minimized the possibility of exploiting identified issues.

However, during these fixes, the website’s functionality occasionally broke — some scripts stopped working, and certain effects displayed incorrectly. After several iterations, we managed to reduce the risks significantly, but the AI still could not completely eliminate the vulnerabilities.

Conclusions

The experiment showed that AI can quickly and with minimal human intervention create a functional landing page with the required effects and structure. However, even when security requirements were formally included in the technical specification and the AI attempted to fix the reported issues, the final code still contained vulnerabilities.

AI — whether it’s ChatGPT 5 or Claude Sonnet 4 — is a powerful tool for accelerating development, but final review, error fixing, and code auditing must still be performed by a human.