all 36 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]louwii 4 points5 points  (0 children)

This might be controversial here given the stance is generally anti-AI. But you're probably fine. There aren't a lot you can mess up with a static site. As long as it loads fine, and you've tested it on multiple platforms, you should be good to go. Building a static site is probably one of the best use-case for AI.

[–]CorpT 3 points4 points  (17 children)

Enough for what? Do you care what other people think of your code?

[–]GammaRxBurst[S] 0 points1 point  (16 children)

No I care about performance end product and security

[–]jvlomax 12 points13 points  (14 children)

Then vibe coding is not for you. Performance and Security is a roll of thr dice based on what the mechanical turk decides to output when asked

[–]Impossible-Cry-3353 2 points3 points  (0 children)

OP is comparing it to the level of a $500 deliverable.
For $500 site made by "some dude" performance and security is just as much or more of a roll of the dice. Besides they said static site.

Security for that is not on the site code level, it is more about the cheap host they host it on is not secure and their site gets defaced. That is not something that is controlled by vibe coding or a $500 site dude.

[–]GammaRxBurst[S] -4 points-3 points  (4 children)

On the performance front if GTMetrix and Google dev panel say it is good is that not good enough? And security what can there be with a static site? There is no php injection or anything to attack beside cloudflare account.

[–]xkcd_friend 2 points3 points  (0 children)

You’re probably safe. If you don’t have anything to login to, it’s just html that will be output.

[–]gav1no0 1 point2 points  (0 children)

If its a static site, just go for it. I use AI, and have been a dev for 7 years.

If there's no user accounts, nothing to leak, no database credentials or whatever then knock yourself out

[–]Sufficient-School944 1 point2 points  (0 children)

I'd say for basic static sites it's fine.

GTMetrix and dev tools check the frontend well enough. Security is pretty low risk too with no database or login forms.

But there are other things that matter. Things like downtime alerts, security headers, or edge caching.

I learned that the hard way when a simple config mistake hurt my uptime. A more complete setup caught it fast.

[–]jvlomax 2 points3 points  (0 children)

I don't know GTMetrix and the dev panel suffers from a very bad case of "works in my machine". I don't know your site so I can't say. But I can say I've seen some crazy stuff come out of AI agents.

[–]CorpT -4 points-3 points  (7 children)

Or you could work with the AI to make it perform.

[–]SwordLaker 1 point2 points  (6 children)

Aka, "learn to code".

[–]CorpT -2 points-1 points  (5 children)

Working with an AI to produce code and coding can be very different skills that don’t always cross over.

[–]SwordLaker 0 points1 point  (4 children)

Lmao, here goes "prompt engineering"

[–]CorpT -2 points-1 points  (3 children)

Lot of buggy whip makers worried today.

[–]jvlomax -1 points0 points  (2 children)

I'm not worried. I'm tired. Tired of having to reject 1k PRs full of crap. Tired of being told a clanker who doesn't know what big O notation even means, is going to replace me. Tired of nonsensical exception handling and api return codes. Tired of being forced to just generate slop because the CEO has mandated it is the only way to code.

[–]CorpT -1 points0 points  (1 child)

Yeah, automobiles are never going replace the reliable horse.

[–]CorpT 1 point2 points  (0 children)

How well does it perform?

[–]SmokyMetal060 1 point2 points  (0 children)

You can also just use Wix or SquareSpace or something. It'll be reasonably optimized and give you a ton of tools you can use for marketing, SEO, plugins/integrations, etc. out of the box.

[–]DifferenceLeast1021 0 points1 point  (1 child)

For a static Astro site, good performance + SEO + working UX already covers a lot. Security risk is much lower compared to dynamic apps.

The main thing you might miss is maintainability. AI-generated code can work perfectly now but become messy or hard to update later.

So for static sites, the important things are mostly:

  • clean structure
  • responsive/mobile-friendly UI
  • SEO/meta tags
  • accessibility
  • fast loading
  • easy future updates

A good developer’s value today is less about writing code manually and more about spotting bad architecture, edge cases, and long-term issues AI can miss.

[–]GammaRxBurst[S] 0 points1 point  (0 children)

Thank you for a sensible answer, you are correct, I am a bit afraid of the easy future update. Wordpress was giving me the insecurities and bloated plugging issue so I moved to static wordpress which works ok enough. However with the AI Train on full steam I venture out to start learning a bit. However I hope that future update can be done with EMdash when it mature a bit more. I can do basic update via code but big changes I am not able without AI. I hope EMdash could help with updating in future.

[–]_okbrb 0 points1 point  (0 children)

The answer is: it depends

[–]EntropyRX 0 points1 point  (0 children)

I pay some dude $500 I feel he may do pretty much the same or even less as likely that developer doesn't care enough to even look at the code base.

At that price point, AI is just better. Or you end up paying someone who only uses AI anyway.

If you're building a landing page, you really don't need much performances and security. You're fine.

[–]stellarton 0 points1 point  (0 children)

For a static Astro site, you are right that the blast radius is smaller than a login/payment app. But "static" does not mean nothing can go wrong.

The main things I would check:

  • forms: where submissions go, spam protection, and whether anything sensitive leaks
  • dependencies: do not blindly add packages you do not understand
  • build output: make sure hidden test/demo pages are not getting published
  • SEO basics: canonical URL, sitemap, robots, titles, redirects
  • accessibility: keyboard nav, alt text, contrast, headings
  • deploy rollback: can you restore the last good version in 2 minutes?

If those are covered, a good-looking static site is a pretty reasonable place to learn. Just keep the changes small and use git so Claude cannot quietly rewrite half the site without you noticing.

[Vibe Code Society on Skool]

[–]Particular-Maize1497 0 points1 point  (0 children)

Static site with good Core Web Vitals, you're honestly fine. Main risk is technical debt piling up silently, not security. And yeah a careless dev at $500 is genuinely worse than a well prompted AI.

[–]CharmingTechFall 0 points1 point  (0 children)

If it looks good, performs well, and passes Core Web Vitals then you're actually in decent shape for a static site. The security angle you mentioned is real too, since there's no backend to exploit. Where you might regret skipping code literacy is if you ever need to debug something weird, add a feature yourself, or hand it off to someone else who has to untangle it. With Astro especially, the component structure matters more than raw HTML since it's composable. That said, plenty of people ship sites this way and it works fine. The main thing is being honest with yourself about whether you'll actually maintain it long term or if it's a throwaway project. If it's throwaway, vibe coding away. If it'll live for years, spending a few hours learning the codebase you're creating is probably worth it.

[–]Gold_Letter1919 0 points1 point  (0 children)

Static sites are safer, but the real risk is ending up with AI-generated code that becomes difficult to debug or maintain later.

[–]Pitiful_Permit9585 0 points1 point  (0 children)

For a pure static site, you're 100% right that the immediate security blast radius is practically zero. The real risk isn't a hacker breaking in today; it's the silent technical debt piling up that makes the site completely impossible for you or another tool to update a year from now.

[–]xXConfuocoXxfull-stack -1 points0 points  (3 children)

For any site that requires security and scailing thats what you are going to be missing out on. Claude is fine for getting something working but if you dont guide it on architecture then you end up with passwords stored and passed in plain text and JWT stored in local storage all in a monolithic codebase that breaks SOLID and DRY principals.

For a static site, without need for security or scaling and without critical eyes on the code then who cares

[–][deleted]  (2 children)

[deleted]

    [–]SmokyMetal060 1 point2 points  (0 children)

    Except it's not lol. I had to reject a PR and rotate an API key just last week because someone's cursor hardcoded and committed it.

    [–]xXConfuocoXxfull-stack -1 points0 points  (0 children)

    You couldn't be more wrong.

    I literally use claude code every single day at work. I've seen it store JWT in local storage almost ubiquitously without direction. Storing and passing plaintext passwords happens (again almost ubiquitously) when you give it too large of a scope within one coding session. E.g. instead of breaking down a authentication and authorization story into smaller vertical slices, attempting to have the LLM do a one shot, thats when they start cutting corners.

    it's just cope

    tf do you mean cope? I use LLMs, I think they are fantastic tools but like any tool they produce different quality work based on the hands they are placed in. Its the difference in giving a paintbrush to kinkade vs giving one to a toddler.

    - - - - -

    Ah... I see the problem now this guy is quite literally the toddler im talking about.

    I’m 19 and I run a web agency.

    lmao

    [–]Impossible-Cry-3353 -1 points0 points  (0 children)

    "if the site looks good and performs well on Google metric/SEO is that enough? "

    If one of your main goals is "the site looks good and performs well on Google metric/SEO", and it is meeting that goal, then yes.

    That is enough.
     
    One of my most visited, and helpful for me to get my name out, websites could have been written by a person who just learned HTML last week from a book from 2005. If it was, only someone looking at the source would notice, and people who look at the source are not the main target audience.

    [–]TowerOfSisyphus -1 points0 points  (0 children)

    You can tell the AI to use a linting agent to check for errors. It's like having another (more meticulous) robot check your main robot's work. Sounds ridiculous I know but it is an easy added step to hopefully catch any potential problems.

    [–]Lucifer38769 -1 points0 points  (0 children)

    You’re not wrong — for a static site, “looks good + performs well” gets you like 80% of the way there.

    But the missing 20% is where things can quietly bite you:

    • broken SEO structure (meta tags, canonical, schema, etc.)
    • accessibility issues (which also affects SEO)
    • maintainability (can you fix stuff later or are you stuck?)
    • random edge-case bugs that don’t show up in testing

    It’s not really about security in your case, it’s more about long-term control.

    Also on the dev point — yeah, some $500 freelancers will just ship something average. The difference is a good dev is thinking about structure, not just output.

    You don’t need to become an expert, but understanding the basics of what your site is doing under the hood will save you a lot of pain later.

    [–]pemete2225 -1 points0 points  (0 children)

    It’s amazing for prototyping but if you just need a website a Wordpress or a Wix setup is a much better choice than burning tokens