Free scan · no signup to run

Your vibe-coded app
shipped with the door open.

AI builders optimize for shipping, not security. Paste your URL and see the exposed secrets, missing auth and open database rules — in about 30 seconds.

https://
Works on any deployed app — Lovable, Cursor, Bolt, v0, Replit or hand-written.
your-app.com
Scan my app0%

What the scan checks

Exposed secretsAPI keys, tokens and committed .env values reachable from the browser or repo.
Missing authenticationEndpoints that return data without checking who is asking.
Open Supabase RLSTables any visitor can read or write because Row Level Security is off.
Client-side secretsService-role keys and admin logic shipped to the browser.
No rate limitingLogin, signup and payment routes open to brute force and abuse.
Security headersMissing CSP, HSTS and X-Frame-Options; misconfigured CORS.
SEO & metadataMissing titles, descriptions, robots and sitemap signals.
AI readiness (AEO)Whether AI engines can read and cite your app (llms.txt, structure).

Built for apps made with

LovableCursorBoltv0Replit

Scanner FAQ

Is the scan really free?Yes — paste a URL and run the scan with no account. You only create a free account to unlock the full list of findings.
Do I need to install anything?No. The scan runs against your deployed URL from the outside, like an attacker would. Nothing to add to your code.
What does it actually check?Exposed secrets, missing authentication, open Supabase RLS, missing security headers, plus SEO and AI-readiness signals — over 100 checks.
Will it break my app?No. The scan is read-only and rate-limited. It looks at what's publicly reachable; it doesn't modify anything.

Learn more

Vibe coding security: risks & checklist →Supabase RLS: the complete guide →Is Cursor safe? Security risks →

See what's exposed before someone else does.

Scan my app free