SEO basics for vibe-coded apps: the 12 things to set before launch
Search engines need help understanding what your app is and who it's for. This is the 12-step setup any indie founder can run through in under 90 minutes — no SEO expertise required, no agency, no shady backlink buying.
What SEO actually is in one sentence
SEO is convincing Google that when someone types a specific phrase into the search bar, your page is the best answer to that phrase. Everything below does one of three things: (1) tell Google what your page is about, (2) make it easy for Google to find your pages, or (3) help Google trust you.
The 12 things to set
1. Per-page <title> tags · 10 min total
Every page needs its own <title> — 50–60 characters, with the primary keyword early. Generic 'Home — MyApp' titles cost you 30–50% of click-through on Google. Specific titles like 'Lovable app legal compliance scanner — Comply Code' tell users (and Google) what they'll find before they click.
[Primary keyword] — [secondary descriptor] — [brand]. Example: 'GDPR cookie consent checker — free scan for EU SaaS — Comply Code'.
2. Meta descriptions · 10 min total
140–160 characters per page. Don't repeat the title. Lead with what the user will discover, not your features. 'Find out which GDPR rules apply to your app and what to fix first' beats 'GDPR compliance scanner with 17 rule checks'. SERP click-through is what you're optimising for here, not keyword density.
3. One <h1> per page · 5 min
Each page should have exactly one <h1> element, and it should match the title intent. Don't use h1 for every section heading — use h2 / h3 / h4 for nested structure. Most vibe-coded apps ship with all-h2 headings because that's the AI's default; Google sees 'no main topic' and ranks the page lower.
4. Canonical URLs · 5 min
Each page should declare its canonical URL with <link rel='canonical' href='...'>. This prevents Google from treating yoursite.com/page, yoursite.com/page/, and yoursite.com/page?ref=twitter as three duplicate pages with split ranking signal. Next.js's Metadata API handles this automatically if you set the alternates.canonical field.
5. Open Graph + Twitter Card meta · 10 min
When someone shares your URL on Slack, Twitter / X, LinkedIn, or Discord, the preview card is generated from your Open Graph meta tags. Without them, you get a sad blank rectangle that drops click-through dramatically. Set: og:title, og:description, og:image, og:url, twitter:card, twitter:title, twitter:description.
6. robots.txt · 5 min
This file at yoursite.com/robots.txt tells crawlers what they can and can't access. At minimum: allow / to all bots, disallow /admin/, /api/, and any private routes. Don't accidentally Disallow: / (blocks everything) — this is the single most common SEO own-goal at launch, usually inherited from a staging template that never got flipped back.
7. sitemap.xml · 15 min
A sitemap lists every public URL on your site so Google can crawl them efficiently. Most frameworks (Next.js, Astro, Nuxt, SvelteKit) have built-in sitemap generators. After you deploy, submit your sitemap to Google Search Console — this is the single biggest action you can take to get indexed quickly.
8. Structured data: Organization + WebSite · 10 min
JSON-LD structured data is how you tell Google 'I'm a real business' and 'I have a search feature'. Add both schemas to your root layout. Templates are available at schema.org. This also feeds AI engines (Perplexity, ChatGPT) — see the companion article on AEO and GEO.
9. Image alt text · 10 min
Every informative image needs an alt attribute describing what's in it. Decorative images get alt="" (empty alt, not no alt). Both Google and screen readers depend on this — and missing alt text is the #3 most-cited ADA accessibility violation in 2025 demand letters. So this one item helps SEO and lawsuit-defense simultaneously.
10. Internal linking · 15 min
Link your pages to each other with descriptive anchor text. Don't write 'click here' — write 'see the Lovable compliance checklist'. Google uses anchor text to understand what the linked page is about. Aim for 3–5 internal links per page on average; that's the density Google's documentation recommends.
11. Mobile responsiveness · 5 min to verify
Open your site on your phone. Tap every CTA. Check that text is readable without zooming, forms work with the on-screen keyboard, and there's no horizontal scrolling. Google has used mobile-first indexing since 2019 — desktop-only sites get ranked lower.
12. HTTPS + custom domain · handled by your platform
Vercel, Netlify, Fly, and Cloudflare Pages all do this automatically with Let's Encrypt. Just make sure your custom domain is connected (not yourapp.vercel.app) and HTTPS is on. Google flags non-HTTPS sites as 'Not secure' in Chrome, which kills conversion immediately.
What you can ignore
There's a lot of SEO advice online. Most of it is dated or selling something. Things you don't need to worry about at launch:
- Keyword density / keyword stuffing — Google has explicitly de-weighted this since around 2013.
- Meta keywords tag — Google has ignored this since 2009.
- Submitting to 200 directories — most are dead or PageRank-farm spam.
- Buying backlinks — Google actively penalizes this, sometimes severely.
- 'Long-tail keyword' strategies — just write content that answers real questions, that's the long tail.
- WordPress-specific SEO plugins — you're not using WordPress.
- 'EEAT' as a strategy — it's a heuristic Google uses, not a knob you turn.
How to verify everything works
Three free tools to run before you tweet your launch:
- PageSpeed Insights (pagespeed.web.dev) — performance, mobile-friendliness, and basic SEO checks.
- Google Rich Results Test (search.google.com/test/rich-results) — verifies your structured data renders correctly.
- Twitter Card Validator (cards-dev.twitter.com/validator) — confirms your OG image and meta tags work on social.
What this doesn't cover
Two things you'll want next, in companion articles:
- AEO and GEO — getting cited by ChatGPT, Perplexity, and Google AI Overview. Different optimisations, growing share of search traffic.
- Compliance gates — ADA accessibility, GDPR cookie consent, AI-code IP. The legal layer underneath the SEO layer.
Common questions.
How long until Google indexes my new site?
Anywhere from 24 hours to two weeks. Submit your sitemap to Google Search Console immediately after launch to speed this up. Once Google has crawled once, it'll re-crawl every few days for active sites. New sites without inbound links can take longer — getting one link from a respected source (a Show HN post, a friend's site) cuts the wait dramatically.
Do I need to register with Google for my site to be found?
No — Google indexes everything it can crawl, registration not required. But Google Search Console (free) lets you submit your sitemap, see what's indexed, see which queries you appear for, and get notified about issues. Set it up. It's the only SEO tool that's strictly necessary.
What if I don't want my app indexed yet?
Add <meta name="robots" content="noindex"> to every page, or Disallow: / in robots.txt. Both are reversible. Don't forget to undo them when you launch publicly — accidentally leaving noindex in production is one of the most common own-goals.
Is SEO worth the effort for a tiny indie app?
Yes for content and articles. Maybe for a product page. If you're paying for ads, SEO is your eventual ad-replacement strategy — content compounds, ads don't. If you have zero content and don't plan to write any, skip SEO and focus on direct distribution (Show HN, Product Hunt, Twitter, partnerships).
How do I know if my SEO is working?
Google Search Console shows you which queries you appear for, your click-through rate, and which pages are getting impressions. Check it monthly. The leading indicator is impressions (you're appearing in results); the lagging indicator is clicks (people are choosing you). Watch impressions grow first.
Should I block AI crawlers like GPTBot to protect my content?
Depends on your business. If you sell content licenses, block them. If you sell a product and want to be discovered, allow them — being cited by ChatGPT or Perplexity drives real traffic and authority signal. We allow all AI crawlers on Comply Code's robots.txt explicitly. See the AEO and GEO article for the specific allow-list.