For vibe coders & solo builders
Paste your URL and see exposed API keys, missing headers, vulnerable libraries, and the misconfigurations most common in Supabase, Lovable, and Base44 apps - like a publicly readable database - in 15 seconds, free, no account needed. Upgrade only if you want the full-site AI agent to keep digging.
Security Score
Fair - attention needed
my-ai-app.com
just now
Supabase database publicly readable via anon key
GET /rest/v1/users?select=* -> 200, 3 rows
Stripe API key exposed in /dist/main.js
sk_live_4xK9mR...
jQuery 1.12.4 - CVE-2019-11358
Known XSS vulnerability - 3 pages affected
GTM firing 3 tags to unknown domains
cdn-analytics-2847.io · reg. 6 weeks ago
AI Summary
Critical credential exposure detected in production JS bundle. A recently-registered domain is loading third-party scripts that may have been compromised...
Features for vibe coders
Scanning
Paste any URL and get a complete security snapshot across all 8 layers in under 15 seconds. No account, no setup.
Scanning
HTTP/TLS, HTML, network traffic, JavaScript CVEs, tag managers, third-party supply chain, platform misconfigurations, server/CMS software CVE checks, and AI synthesis all run on every scan.
Platform Security
Detects the most common security failures in apps built with Lovable, Supabase, Base44, Bubble, and similar AI app builders - publicly readable databases, exposed service_role keys, and known platform CVEs.
Scanning
Retire.js + OSV database checks against every JS library identified on the page. Pinpoints the exact file and version with the CVE ID linked.
Scanning
Full checklist of CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, cookie flags, CORS, and server version disclosure.
Scanning
Every scan produces a weighted 0-100 score and A-F grade calculated from finding severity across all 8 layers. Comparable across scans over time.
Scanning
Scan a bare domain or IP directly - no scheme required. Automatically tries HTTPS, HTTP, and common alternate ports, and always reports what it found.
AI Investigation
When an exposed .map file is found, the agent fetches it and reconstructs original source to check for hardcoded secrets and internal architecture leaks.
Reports
Plain-English summary of your security posture written by an LLM that has read all findings holistically. Readable by a CTO, auditor, or board member.
Reports
Every free report gets a public URL you can send to a developer, client, or auditor. Sign up to save reports to your account permanently.
Automation
Let Claude, Cursor, or any MCP-compatible AI agent trigger scans and poll results directly - create_scan, get_scan, list_scans, and wait_for_scan tools, no glue code required.
Pricing
Most solo builders never need more than the free tier - upgrade later if you start shipping client work or need scheduled scans.