Security scanning for AI-generated web apps

Free vulnerability detection for vibe-coded projects. Detects exposed .env files, weak TLS ciphers, hardcoded API keys, and framework-specific misconfigurations.

No signup required. Results in ~60 seconds.

Also available

npm Supply Chain Scanner

Check your package-lock.json for compromised packages, known vulnerabilities, and malware. No signup required.

Scan Dependencies

What we check

Security Headers

Analyzes CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

TLS Configuration

Certificate chain validation, TLS 1.2/1.3 protocol versions, cipher suite strength via SSL Labs API

Exposed Files

Probes for .env, .git/config, /debug, /admin, wp-config.php, and 20+ sensitive paths

JavaScript Secrets

Pattern-matches bundled JS for AWS keys, Stripe tokens, Firebase credentials, and API secrets

How it works

Start a scan

Try it instantly with our demo target, or sign up to scan your own domains. No API key needed.

Automated analysis

Four scanners run in parallel: HTTP header analysis, TLS configuration check via SSL Labs, sensitive file probing, and JavaScript static analysis.

Prioritized results

Get an A-F security grade with severity-ranked findings and copy-paste remediation steps. Paid tier adds Nuclei-powered framework-specific checks.

Scan methodology

Security headers: Passive HTTP response header analysis (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
TLS configuration: Qualys SSL Labs API — certificate chain, protocol versions, cipher strength, known vulnerabilities
Exposed files: Active HTTP probes for common sensitive paths (.env, .git/config, /debug, /admin, backup files)
JavaScript secrets: Regex pattern matching on bundled JavaScript for API keys, tokens, and credentials
Vibe-code scanning (paid): Nuclei with custom templates for Supabase RLS bypass, Firebase security rules, Next.js/React misconfigurations