Security Checks

What VibeScan checks

Every scan runs 8 automated security checks against your live app. Here is exactly what each one looks for and why it matters.

HTTPS Enforcement

Critical
What it checks

Verifies that your app is served over HTTPS, not HTTP.

Why it matters

Without HTTPS, all data transmitted between your users and your app — including passwords, session tokens, and personal information — travels as plaintext. Anyone on the same network can read it.

Flagged when

App URL responds over HTTP, or redirects are not properly configured to force HTTPS.

CORS Policy

High
What it checks

Checks the Access-Control-Allow-Origin response header for wildcard (*) or overly permissive values.

Why it matters

A wildcard CORS policy allows any website on the internet to make authenticated requests to your API on behalf of your users. An attacker's site can silently read your users' data or perform actions as them.

Flagged when

Access-Control-Allow-Origin: * appears in any response header.

X-Frame-Options

Medium
What it checks

Checks for the X-Frame-Options response header.

Why it matters

Without this header, your app can be embedded in an invisible iframe on a malicious website. Attackers use this for clickjacking — tricking users into clicking buttons they can't see.

Flagged when

X-Frame-Options header is missing from the response.

Content-Security-Policy

Medium
What it checks

Checks for the Content-Security-Policy (CSP) response header.

Why it matters

CSP defines which scripts, styles, and resources are allowed to load on your page. Without it, a cross-site scripting (XSS) vulnerability lets an attacker run any script — including ones that steal your users' sessions.

Flagged when

Content-Security-Policy header is missing from the response.

Strict-Transport-Security (HSTS)

Medium
What it checks

Checks for the Strict-Transport-Security header.

Why it matters

HSTS tells browsers to always use HTTPS for your domain, even if the user types http://. Without it, a first connection could happen over HTTP, interceptable by a network attacker.

Flagged when

Strict-Transport-Security header is missing from the HTTPS response.

X-Content-Type-Options

Low
What it checks

Checks for the X-Content-Type-Options: nosniff header.

Why it matters

Without this header, browsers may try to "sniff" the content type of a file and execute it as a different type. For example, a text file uploaded by a user might be interpreted and executed as HTML.

Flagged when

X-Content-Type-Options header is missing.

Exposed Secrets in Page Source

Critical
What it checks

Scans the page HTML and loaded JavaScript for patterns matching API keys, tokens, and credentials.

Why it matters

Secrets in client-side code are visible to every user of your app. A Supabase ANON key with disabled RLS, an OpenAI key, or a Stripe key can be extracted from your page source in seconds.

Flagged when

Patterns matching Supabase ANON keys, service role keys, OpenAI API keys (sk-), JWT tokens, Bearer tokens, AWS access keys (AKIA), or generic API key patterns in client-accessible source.

Sensitive Paths in robots.txt

Low
What it checks

Fetches and analyzes your robots.txt file for paths that suggest sensitive internal routes.

Why it matters

robots.txt is meant to guide search crawlers, but it also tells attackers exactly which paths exist in your app. Paths like /admin, /api, /dashboard, /internal listed in robots.txt are a roadmap for an attacker.

Flagged when

Paths like /admin, /api, /internal, /dashboard, /staff, /superuser, or similar present in robots.txt.

Was this helpful?
← How It WorksNext: Interpreting Results →