This is a sample report. Scan your own app to get real results in under 60 seconds — free.
VibeScan/Sample Report

Security Scan Report

mvp-tracker.lovable.appScanned May 20, 202510 checks run
32/100
F
Security grade
2
Critical
1
High
2
Medium
5
Passed

Findings

Critical

Supabase anon key exposed in JavaScript bundle

Full fix guide →

Found in /static/js/main.abc123.js at line 1247

NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsIn...
Risk

Combined with missing RLS, anyone can query your entire database without authentication.

AI Fix Prompt

Enable Row Level Security on all Supabase tables. Go to Table Editor → select each table → toggle Enable RLS. Add policies using auth.uid() = user_id to restrict each user to their own rows. Confirm no table returns data without an auth token.

Critical

Row Level Security not detected on Supabase tables

Full fix guide →

API returned full user dataset without auth token in request

GET https://xyzcompany.supabase.co/rest/v1/users → 200 OK (unauthenticated)
Risk

Any authenticated user can SELECT * from any table and retrieve all records.

AI Fix Prompt

Enable RLS on every Supabase table and add per-user access policies. Use the SQL editor to run: ALTER TABLE users ENABLE ROW LEVEL SECURITY; then CREATE POLICY for each table.

High

Wildcard CORS policy on /api routes

Full fix guide →

Access-Control-Allow-Origin: * returned on all /api/* endpoints

Access-Control-Allow-Origin: *
Risk

Any website can make authenticated API requests on behalf of your logged-in users.

AI Fix Prompt

Replace Access-Control-Allow-Origin: * with your specific domain in next.config.js. Set headers in the async headers() function targeting /api/:path* routes.

Medium

Missing Strict-Transport-Security header

No HSTS header found in HTTP response headers

Strict-Transport-Security header: absent
Risk

Browsers won't enforce HTTPS-only connections, enabling man-in-the-middle attacks on public WiFi.

AI Fix Prompt

Add Strict-Transport-Security: max-age=31536000; includeSubDomains to your response headers in next.config.js.

Medium

No Content-Security-Policy header

CSP header missing from all page responses

Content-Security-Policy header: absent
Risk

XSS attacks can load external scripts without restriction, enabling session hijacking.

AI Fix Prompt

Add a Content-Security-Policy header in next.config.js. Start with: default-src 'self'; script-src 'self' 'unsafe-inline'; then tighten as needed.

Passed checks

HTTPS enforced
All pages served over HTTPS. Valid TLS certificate.
X-Content-Type-Options set
nosniff header present. Prevents MIME-type sniffing attacks.
X-Frame-Options set
DENY header present. Prevents clickjacking via iframes.
Referrer-Policy set
strict-origin-when-cross-origin. Controls referrer header leakage.
No service role key detected
Supabase service_role key not found in public JavaScript.
This was a sample

Is your app exposing the same issues?

Scan your Lovable, Bolt, Cursor, or Replit app free in under 60 seconds. No account. No credit card.

Scan my app free →See pricing