What VibeScan checks
Every scan runs 8 automated security checks against your live app. Here is exactly what each one looks for and why it matters.
HTTPS Enforcement
CriticalVerifies that your app is served over HTTPS, not HTTP.
Without HTTPS, all data transmitted between your users and your app — including passwords, session tokens, and personal information — travels as plaintext. Anyone on the same network can read it.
App URL responds over HTTP, or redirects are not properly configured to force HTTPS.
CORS Policy
HighChecks the Access-Control-Allow-Origin response header for wildcard (*) or overly permissive values.
A wildcard CORS policy allows any website on the internet to make authenticated requests to your API on behalf of your users. An attacker's site can silently read your users' data or perform actions as them.
Access-Control-Allow-Origin: * appears in any response header.
X-Frame-Options
MediumChecks for the X-Frame-Options response header.
Without this header, your app can be embedded in an invisible iframe on a malicious website. Attackers use this for clickjacking — tricking users into clicking buttons they can't see.
X-Frame-Options header is missing from the response.
Content-Security-Policy
MediumChecks for the Content-Security-Policy (CSP) response header.
CSP defines which scripts, styles, and resources are allowed to load on your page. Without it, a cross-site scripting (XSS) vulnerability lets an attacker run any script — including ones that steal your users' sessions.
Content-Security-Policy header is missing from the response.
Strict-Transport-Security (HSTS)
MediumChecks for the Strict-Transport-Security header.
HSTS tells browsers to always use HTTPS for your domain, even if the user types http://. Without it, a first connection could happen over HTTP, interceptable by a network attacker.
Strict-Transport-Security header is missing from the HTTPS response.
X-Content-Type-Options
LowChecks for the X-Content-Type-Options: nosniff header.
Without this header, browsers may try to "sniff" the content type of a file and execute it as a different type. For example, a text file uploaded by a user might be interpreted and executed as HTML.
X-Content-Type-Options header is missing.
Exposed Secrets in Page Source
CriticalScans the page HTML and loaded JavaScript for patterns matching API keys, tokens, and credentials.
Secrets in client-side code are visible to every user of your app. A Supabase ANON key with disabled RLS, an OpenAI key, or a Stripe key can be extracted from your page source in seconds.
Patterns matching Supabase ANON keys, service role keys, OpenAI API keys (sk-), JWT tokens, Bearer tokens, AWS access keys (AKIA), or generic API key patterns in client-accessible source.
Sensitive Paths in robots.txt
LowFetches and analyzes your robots.txt file for paths that suggest sensitive internal routes.
robots.txt is meant to guide search crawlers, but it also tells attackers exactly which paths exist in your app. Paths like /admin, /api, /dashboard, /internal listed in robots.txt are a roadmap for an attacker.
Paths like /admin, /api, /internal, /dashboard, /staff, /superuser, or similar present in robots.txt.