Skip to content
Get Started. Free Consult
Blog / Vibe Coding / 8 July 2026
Vibe Coding

How to tell if a website is vibe coded

We built a detector that fingerprints AI-built websites. Here is the manual version, seven signs you can check in your browser in under a minute.

Josh · Founder8 July 20266 min readVibe Coding · Perth · AI
How to tell if a website is vibe coded

Most vibe coded websites tell on themselves. The badge in the corner, the domain they sit on, the scripts the builder injects into every page. We know because we built a free checker that fingerprints them, and to build it we had to work out exactly what Lovable, Bolt, v0 and Replit leave behind. This post is the manual version. Seven signs, easiest first, most of them checkable in under a minute.

Quick definition first. Vibe coding is building software by describing it to an AI and accepting what comes back. The result is real code on real hosting, which is what separates it from Wix or Squarespace. More on that difference below, because plenty of people conflate the two.

The badge in the corner

The free tiers of most AI builders stamp their work. "Edit with Lovable" floating bottom right. "Made in Bolt" pinned to a corner. "Built with v0" in the footer. If the badge is there, you are done, that is the builder naming itself.

Two things to keep in mind. Paid plans usually let owners remove the badge, so its absence proves nothing. And a badge is just page content, anyone could add one to a hand-built site as a joke. Nobody does, but it keeps a badge one rung below the technical markers on the evidence ladder.

The domain gives it away

Every builder gives new apps a subdomain on its own infrastructure. Lovable apps live on lovable.app addresses, Bolt deploys to bolt.host, Replit to replit.app or repl.co, Base44 to base44.app. A business running its actual site on one of these has shipped the preview link, which itself says something about how the project went.

Once a custom domain is connected this sign disappears. That is when you go to the page source.

Builder scripts left in the source

Right click the page, choose View Page Source, and search for the builder's plumbing. This is the strongest evidence you can get from the outside because it is injected by the platform, not typed by a person, and it survives the move to a custom domain.

The markers we match on in our own ruleset. Lovable apps load a runtime script from cdn.gpteng.co, and newer ones carry platform scripts at /__l5e/ and ~flock.js on the site's own domain. Base44 apps ship a reference to the @base44/sdk package wired to their backend. Find any of these and the builder is identified, whatever domain the site sits on.

Leftover paths and meta tags

Same view-source window, three more searches. Lovable stores every uploaded image under /lovable-uploads/, and in practice that path is the most durable of Lovable's markers, because owners strip badges and scripts but never rehost their images. Lovable also writes a meta tag named lovable-tagger into the head. And some builders fill the standard generator meta tag with their own name, which is the site politely telling you who made it.

A nearly empty page source

Hand-built business sites usually render their content on the server, so the page source is full of readable text. The default output of Bolt, Lovable and v0 is a client-rendered app, and its page source is close to empty. A single div with id="root", a script loading /assets/index-[something].js, and not much else. All the content arrives after JavaScript runs.

An empty shell plus that /assets/ bundle path is the signature of a Vite single page app, which is what these builders generate. It is not proof on its own, hand-built SPAs exist. It is the point where the next sign starts to count.

The default look

You have seen this website before. Dark background. A headline with a purple to blue gradient sliding through it. Pill-shaped buttons, rounded everything, Inter or Geist for the font, the same icon set (Lucide) on every card. AI builders lean on the same component library, shadcn/ui, and the same visual defaults, so their output converges on one look.

Be careful with this one. Half the hand-built web uses the same kit, including sites by teams who simply like shadcn. Our checker only counts aesthetic cues after the page has already shown itself to be a client-rendered shell, and even then it never names a builder from looks alone. Treat the default look as a reason to check the source, never as a verdict.

Comments the AI left behind

This one surprised us. When we tested the ruleset against a control set of hand-built sites, the cleanest separator was HTML comments. Build tooling strips comments on the way to production, so hand-built sites served zero. AI-written static pages that someone deployed by hand keep them, and they are unmistakable. Section labels like a comment reading Hero or Testimonials above each block, decorative divider comments, emoji scattered through the markup. An AI writes those for its own navigation, and a person who does not read code never knows they shipped.

What proves nothing

Two false positives worth naming, because both get thrown around as gotchas.

The tech stack. React, Vite and Supabase power an enormous amount of carefully hand-built software. A Supabase key in the page source is Tuesday, not evidence. Our checker records stack as a footnote and gives it zero weight in the verdict, and anyone who tells you "it uses React so it is vibe coded" is guessing.

Website builders. Shopify, Wix, Squarespace, Webflow and WordPress sites are built from templates in an editor. That is no-code, a different thing entirely, and it long predates AI. Calling a Squarespace site vibe coded is just wrong.

The catch

A site with none of these markers can still be AI-built. Anything made with Cursor, Claude Code or Windsurf leaves no fingerprint at all, because those tools write code into a normal repository that deploys like any hand-built project. Owners can also strip every marker above with one prompt. So the signs only run in one direction. Their presence identifies a builder, their absence tells you nothing. We wrote that rule into our checker and it applies just as hard to manual checking.

Check it in ten seconds

If you would rather not read page source, the checker does all of the above in one pass and shows its evidence, tiered from builder-owned markers down to weak aesthetic cues, so you can see why it reached its verdict rather than taking our word for it.

And if the site you are checking is your own, the interesting question is not which tool built it. It is what the tool left unsecured. Veracode's testing puts security flaws in roughly 45% of AI-generated code, and we keep finding the same three in Australian apps, exposed keys, missing rate limits, over-privileged database roles. A free security check will tell you where yours stands, and if it turns up problems, the audit is how we fix them properly.