Find what your AI coder left exposed.
Tools like Lovable, Bolt, Cursor and Claude Code ship fast, but nearly half of AI-generated code carries a security flaw. Paste a URL and Vibe Scan checks for leaked API keys, open databases, missing headers and the mistakes vibe-coded apps make most.
Six layers, one public URL.
A full front-end security pass over the vulnerabilities AI-generated apps introduce most. No source code, repo or database access required, just a URL we can reach.
Security headers
The HTTP response policy layer.
Exposed keys
Credentials leaked into shipped JS.
Client-side security
What runs in the visitor's browser.
Vibe-code patterns
Mistakes specific to AI builders.
Exposed files
What's reachable that shouldn't be.
Infrastructure
Transport and config hygiene.
Paste, scan, act.
Paste your URL
Any deployed app with a public address, Lovable, Bolt, Vercel, Netlify, anywhere. No install, no code access.
We scan live
Headers, JavaScript bundles, Supabase config, exposed paths and known CVE patterns, all checked in seconds against your real URL.
Get a fix list
Every finding with a severity, plain-English impact and the exact change to make, graded and shown on screen the moment the scan finishes.
Speed without a security review.
The review your AI tool skipped.
Lovable, Bolt, Cursor, Replit and Claude Code make building astonishingly fast. But they routinely introduce flaws a developer would catch in code review, and most vibe-coded projects never get one.
Vibe Scan is that missing review: the security pass your AI coder should have done, but didn't.
What we find almost every time.
- Service-role keys shipped in client JSvery common
- Missing Content-Security-Policyvery common
- Hardcoded OpenAI / Stripe / AWS keyscommon
- .env reachable at the site rootcommon
- CORS allowing any originfrequent
- Public tables with no RLS policyfrequent
What to do with the results.
Rotate every exposed credential.
Service-role keys, database passwords, OpenAI and Stripe secrets, rotate them immediately. Every minute they stay public is an open door.
Close the attack surface.
Missing headers, outdated libraries, exposed admin routes. None are a breach alone, but each is a step an attacker can chain into one.
Get a manual audit.
We go past the automated scan, reviewing source, database rules, auth logic and API endpoints across Next.js, React, Svelte and Nuxt.
Request auditVibe Scan, answered.
An automated check for apps built with AI coding tools like Lovable, Bolt, Cursor, Claude Code and Replit. It looks for the vulnerabilities those tools introduce most: exposed API keys, missing security headers, open database access, leaked credentials in JavaScript bundles, and misconfigured Supabase or Firebase.
No. It only reads publicly visible signals: HTTP response headers, HTML source, external JavaScript bundles, and whether common sensitive paths are reachable. It never touches your repository, database, or any private resource.
Any app with a public URL. It is tuned for apps built with Lovable, Bolt.new, Cursor, Claude Code, Replit, Windsurf, v0 and Copilot, plus framework-specific issues in Next.js, React, Vite, Nuxt and Svelte.
Yes, no credit card and no trial period. Results appear on screen the moment the scan finishes. We ask for your name and email so VibeZero can follow up if you want help fixing what is found. We will not spam you.
It reliably catches the most common and dangerous issues: exposed secrets, missing security headers, vulnerable libraries, open database tables, misconfigured paths. It cannot see server-side code, database security rules or authentication logic. For that, request a manual audit.
The scanner only reads public information, so technically yes. Please only scan apps you own or are authorised to test.
Most scans finish in 5 to 15 seconds. Larger apps with many JavaScript files can take up to 20.
Rotate exposed credentials immediately, then prioritise high and medium findings within the week. If you would like help, request a free manual audit and we will go deeper.