Free security scanner

Ship your vibe.
Know it's secure.

The free security scanner built for AI-generated apps. Get a letter grade, plain-English findings, and copy-paste fixes in minutes.

89% of AI-built apps ship with security vulnerabilities
Security Scan ResultLive
B+
Score: 108 / 130
0
Critical
2
High
3
Medium
Scanning your site...
Connecting...
The Problem

Vibe coding is amazing.
But AI doesn't think about security.

Your AI tool got the feature working in minutes. But it probably also left the front door wide open.

🔑
Exposed API Keys
Your OpenAI key is sitting in your JavaScript bundle. Anyone who opens DevTools can copy it and run up your bill.
const apiKey = "sk-proj-a8Kx...mZ9q"
🛢
No Database Protection
Your Supabase tables are readable by anyone on the internet. No Row Level Security policies. All data is public.
GET /rest/v1/users → 200 OK ✗
🛡
Missing Security Headers
Your site has no protection against XSS, clickjacking, or content injection. Browsers need you to opt in to these defenses.
Content-Security-Policy: ✗ missing
How It Works

Three steps to confidence

No account needed. No repo access. Just a URL.

1
Enter your URL
Paste the URL of your live site. We scan what's publicly visible — the same things an attacker would see.
2
We scan everything
JS bundles, HTTP headers, API endpoints, database configs, exposed paths, cookies, CORS policies, and more.
3
Get your grade + fixes
A letter grade from A+ to F, plain-English explanations, and copy-paste code to fix every issue we find.
What We Check

30+ checks across
6 categories

We look at everything an attacker would — and explain what we find in words you actually understand.

🔐
Exposed Secrets
API keys, tokens, and credentials leaked in your JavaScript bundles. We detect 30+ key formats.
📋
Security Headers
HSTS, CSP, X-Frame-Options, and more. The basics that prevent XSS, clickjacking, and MIME attacks.
🌐
CORS Misconfigurations
Overly permissive cross-origin policies that let any website interact with your API.
🛢
Database Security
Supabase RLS policies, Firebase rules, open S3 buckets, and world-readable databases.
🍪
Cookie Security
Missing Secure, HttpOnly, and SameSite flags on session cookies. Prevents hijacking and CSRF.
📁
Exposed Files
.env files, .git directories, backup archives, source maps, and debug logs that should never be public.
Sample Report

See what you'll get

Real findings. Real fixes. No jargon.

secureyourvibe.com/report/demo-app
D

Security Grade: D

Base score: 100
Findings: −45 (1 critical, 1 high, 2 medium)
Bonuses: +5 (no info leakage)
Final: 60 / 130
CriticalSupabase Database Has No RLS
supabase.co/rest/v1/ → 200 with table list
What this means: Anyone can read all data in your database — user emails, passwords, private content — without logging in. Your Supabase project has no Row Level Security policies enabled.
Why it matters: An attacker can steal all your user data with a single API call using the public key already in your JavaScript.
Fix — Supabase Dashboard
-- Enable RLS on your tables: ALTER TABLE public.users ENABLE ROW LEVEL SECURITY; -- Add a policy so users can only read their own data: CREATE POLICY "Users read own data" ON public.users FOR SELECT USING (auth.uid() = id);
HighMissing Strict-Transport-Security Header
HTTP response headers
MediumCORS Allows Any Origin
/api/users → Access-Control-Allow-Origin: *
MediumNo Content Security Policy
HTTP response headers
Compatibility

Built for the tools
you're already using

Cursor
Bolt.new
Lovable
v0
Replit
Vercel
Netlify
Supabase
Firebase
Next.js
Express
Pricing

Free forever. Seriously.

Start with a free scan. Upgrade only if you need the full picture.

Free
$0
One scan to see where you stand.
  • 1 scan per site
  • Letter grade (A+ to F)
  • Top 3 findings with fixes
  • Shareable report URL
Get Started Free
Full Report
$5 one-time
Everything we find, with the fix for each.
  • All findings, not just top 3
  • Framework-specific fix code
  • Prioritized action plan
  • PDF export
  • Rescan after you fix
Get Full Report
Monitor
$9 / month
Ongoing protection as you keep building.
  • Weekly automatic re-scans
  • Email alerts on grade changes
  • Scan history with diffs
  • Embeddable security badge
  • Priority support
Start Monitoring
The Research

This isn't hypothetical

Independent research confirms what we see in every scan.

89.5%
of AI-built apps ship with exploitable vulnerabilities
Escape.tech — 2,000+ apps analyzed
23M
secrets found in public source code in 2024
GitGuardian — State of Secrets Sprawl
45%
of AI-generated code contains security vulnerabilities
Veracode — GenAI Code Security Report
Get Started

Don't ship blind

Scan your site for free. See your grade in seconds.