// security scan for AI-built apps
Did your AI-built app just leak your API keys?
Apps shipped with Lovable, Bolt, Replit, v0 or Cursor are fast to build and easy to leave wide open. Paste your live URL. Find exposed secrets, open databases, and missing protections in 20 seconds.
No signup. No install. We only read your public pages.
Exposed API keys
Open Supabase / Firebase
Leaked .env / .git
Missing headers
Source maps
Email spoofing
What VibeScan checks
01
Leaked secrets
Scans your shipped JavaScript for Stripe, OpenAI, AWS, Supabase and other keys that should never reach the browser.
02
Open databases
Detects Supabase / Firebase usage and flags the #1 vibe-coding mistake: tables with Row Level Security turned off.
03
Exposed files
Probes for publicly served .env, .git, backups and config files that quietly leak everything.
04
Missing protections
HTTPS, CSP, HSTS, clickjacking, CORS, source maps, and email spoofing (DMARC/SPF) on your domain.