Security you can actually fix.
Paste your app URL. VibeScan checks for exposed secrets, broken auth, unsafe databases, and more — then tells you exactly how to fix what it finds.
Built with these tools? We scan them.
Issues we find every single day.
These aren't made-up examples. These are the exact vulnerabilities VibeScan surfaces in apps built with Lovable, Bolt, Cursor, and Replit — often within hours of launch.
Exposed Supabase key in page source
Anyone could read, modify, or delete your entire database using this key — no authentication required.
Move the key server-side and enable Row Level Security on all tables.
Row Level Security disabled on users table
Any authenticated user can run SELECT * FROM users and get every email, password hash, and private field.
Enable RLS in Supabase and add per-user policies to every table containing private data.
Admin route accessible without authentication
The /api/admin/users endpoint returns a full user list to anyone — no session required.
Add an auth check at the top of every admin route handler.
Wildcard CORS policy on all API routes
Any website can make authenticated requests to your API on behalf of logged-in users — silently.
Replace Access-Control-Allow-Origin: * with your specific domain.
Paste a URL. Get a security report.
No installs. No API keys. No code changes. VibeScan fetches your app and runs every check automatically.
Paste your URL
Drop in your app's live URL. Lovable subdomain, Vercel preview, custom domain — all work.
We run the checks
VibeScan crawls your app, fetches JS bundles, probes API endpoints, and tests 50+ security patterns.
Get a plain-English report
Every issue comes with a short explanation and a step-by-step fix. No jargon. You can fix it in minutes.
main.js. Anyone can charge cards.The security issues that actually bite.
These aren't theoretical vulnerabilities. They're the real mistakes that show up in 80% of apps built with AI tools.
Exposed secrets
Stripe keys, Supabase anon keys, OpenAI tokens — if it's in your client-side JS, we'll find it.
Database rules
Supabase Row-Level Security off? Anyone with your project URL can dump your entire database.
Auth checks
Admin routes without auth, missing role checks, insecure password reset flows.
XSS protection
We send 47 common XSS payloads into every form field and URL parameter we can find.
Cookie flags
Session cookies without HttpOnly, SameSite, or Secure flags are easy to steal.
Builders who caught it before their users did.
“I built an MVP in a weekend with Lovable, shipped it, then VibeScan found my Stripe key in the JS bundle. Fixed in 10 minutes. Genuinely scary how close I was.”
“VibeScan flagged missing RLS on three tables. The report was so clear even our designer understood the fix. We ran it on every new project now.”
“I charge clients for security audits now. VibeScan finds the obvious stuff in seconds so I can focus on the hard issues. Worth every penny.”
Simple, honest pricing.
Start free. Upgrade when you want AI-powered fix guides and continuous monitoring.
Run a scan now, no card needed.
- ✓Full security scan
- ✓All findings with severity
- ✓HTTPS, headers, CORS, secrets checks
- ✓Public shareable report link
- ✓Security score + grade
- —AI plain-English explanations
- —Copy-paste fix prompts
- —Weekly monitoring
- —Security badge for your site
For founders ready to ship securely.
- ✓Everything in Free
- ✓AI plain-English explanations
- ✓Copy-paste fix prompts for Lovable / Bolt / Cursor
- ✓Weekly automated re-scans
- ✓"Protected by VibeScan" badge
- ✓Email alerts on new issues
- ✓Priority support
For agencies and multi-product teams.
- ✓Everything in Launch
- ✓Up to 3 apps monitored
- ✓Team member access
- ✓Priority alerts via Slack
- ✓Custom security reports
- ✓Dedicated onboarding call
All plans include a free scan to start. Cancel anytime. Questions? hello@vibescan.space
Questions founders ask.
Your first scan is free.
No credit card.
Drop in your URL and get a full security report in under 60 seconds. Upgrade to monitor continuously for $29/mo.