Free scan · no account needed

You vibe-coded
your app.
Is it leaking secrets?

Apps built with Lovable, Bolt, v0 or Cursor routinely ship with .env files, admin panels and databases left wide open. Invisible unless you know where to look. We check the site you own, in plain English.

We only scan domains you prove you own. Nothing destructive, ever.

SCANexample.com
live
$ probe example.com
GET/.env200 OKcritical
your database password is downloadable
GET/.git/config200 OKcritical
your full source history is public
GET/admin200 OKhigh
admin panel open to anyone
GET/api/users?id=1200 OKhigh
returns other people's records
GET/backup.sql.bak200 OKhigh
a database dump, left on the server
5 exposures found47s

Every one of these should have answered 403 Forbidden. That gap is the whole product.

01What we look for

A real audit, not a checklist.

The same exposures a skilled attacker probes for first, mapped across your whole reachable surface and ranked by how much they actually matter.

critical

Exposed secrets

Publicly downloadable .env files, API keys and tokens shipped in your client code, database dumps left on the server.

critical

Open source & config

Reachable .git folders, backup files, and config that hand an attacker your entire codebase and credentials.

high

Broken access control

Admin panels open to anyone, and API endpoints that hand back other users' records by changing one number in the URL.

medium

Injection & redirects

Safe, read-only probes for cross-site scripting, SQL injection and open redirects across your whole reachable surface.

medium

TLS, DNS & email

Weak certificates, spoofable email (missing SPF/DMARC), and DNS that lets someone impersonate your domain.

low

Headers & cookies

Missing security headers, cookies without the right flags, and the small hardening steps that add up.

02How it works
01

Prove you own it

Paste one line into your AI builder, or add a DNS record. We only ever scan sites you control, and we check again the moment the scan starts.

02

We scan, safely

A deep, non-destructive audit runs against your live site. Read-only probes only. Nothing here can change or break anything.

03

Get a fix, not jargon

Plain-language findings ranked by real risk, each with a copy-paste prompt you hand straight to your AI builder to fix it.

Find out before someone else does.

Two minutes, no security background, no account for the free scan. Prove you own the domain, and see exactly what it is handing out right now.