Is your vibe-coded appleaking secrets?

45% of AI-generated apps ship with at least one critical security flaw. Find out where yours stands in 60 seconds. Free.

Supports apps built with Lovable, Bolt, v0, Cursor, Replit, Firebase Studio, plus custom domains.

How it works

Three steps. Sixty seconds.

1

Paste your URL

Any public app URL — Lovable, Bolt, v0, Vercel, Replit, custom domain.

2

We scan, passively

Read-only checks against your public surface. No exploits, no intrusive probes, no auth attempts.

3

Get your report

Letter grade + prioritized findings + remediation steps. PDF emailed to you.

What we check

Real findings, not marketing fluff.

Exposed API keys

Stripe, OpenAI, Anthropic, AWS, GitHub, and 8 other credential types embedded in your client code.

Supabase Row Level Security

We probe your Supabase tables (read-only) to see what's exposed to anonymous users — the #1 vibe-coded mistake.

Security headers

Mozilla Observatory grades your headers — CSP, HSTS, X-Frame-Options, and more.

Client-side secrets

Database connection strings, JWT service-role tokens, private keys, and other things that should never ship to the browser.

FAQ

Honest answers.