Is your vibe-coded site actually secure?
AI-generated code ships fast - but often without rate limiting, security headers, or proper secret management. Run a free black-box scan to find what was missed.
What the scanner checks
13 automated checks across 5 security categories. Non-invasive, read-only, no login required.
API Key Exposure
Scans HTML/JS source for hardcoded Google, AWS, OpenAI, Stripe, and other API keys. The most common vibe-coding mistake.
Sensitive File Exposure
Probes /.env, /.git/HEAD, /config.json, /wp-config.php and other files that should never be publicly accessible.
HTTPS & Transport
Verifies HTTP to HTTPS redirect, HSTS header, and checks for mixed content (HTTP resources on HTTPS pages).
Security Headers
Checks for CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.
Auth & Access
Tests CORS configuration, probes common admin panel paths, checks cookie security flags (HttpOnly, Secure, SameSite).
Client-Side Code
Detects vulnerable jQuery/Bootstrap/AngularJS versions, reflected XSS, and insecure form submission patterns.
Rate Limiting
Checks for rate-limiting response headers on page and API routes - frequently absent in AI-generated apps.
Error Verbosity
Tests whether error pages leak stack traces, file paths, or database error messages to the public.
Server Info Disclosure
Checks whether Server and X-Powered-By headers reveal your tech stack and version numbers to attackers.