URL scan
Exposed keys in frontend code
Public JavaScript can reveal Supabase anon keys, API keys, token-looking values, and secret-looking credentials.
Vulnerabilities we catch
The security mistakes vibecoded apps ship with.
The URL scan checks what the public internet can see. The full audit goes deeper into Supabase, Firebase, GitHub, auth flows, and payment-sensitive access.
Full audit
Missing Row Level Security
Supabase tables without locked-down policies can expose user records directly to anyone who has the public anon key.
URL scan
Public source maps
Source maps can expose original source files, route names, env names, component logic, and internal app structure.
URL scan
Missing security headers
Missing CSP, frame, content-type, referrer, and permissions headers weaken browser-side protection for users.
URL scan
Auth pages saved in cache
Login and password reset pages should not be stored by browsers, proxies, shared devices, or synced profiles.
URL scan
Weak rate-limit signals
Login, signup, reset, and API routes can be easier to spam or brute-force when repeated requests are not slowed down.
URL scan
Public API data exposure
API routes returning account, customer, admin, order, or token-like JSON without login can leak live app data.
URL scan
CORS on real API responses
Wildcard CORS on actual API responses can let other websites read responses meant only for trusted origins.
URL scan
Verbose production errors
Stack traces, framework internals, and file paths give attackers clues about your backend and dependencies.
Full audit
Public storage buckets
Uploaded files, private documents, avatars, invoices, exports, and internal assets can be downloadable without login.
Full audit
Firebase database exposure
Realtime Database and Firestore paths can be readable from the public internet when rules are too open.
Full audit
Firebase storage exposure
Storage buckets and discovered object paths can leak user uploads even when the app UI looks private.
URL scan + audit
Supabase service role leaks
A service role key bypasses RLS and can give attackers full database access if it reaches client-side code.
Full audit
GitHub secrets
Repositories can contain API keys, tokens, database URLs, passwords, logs, and old commits that never reached the frontend.
Full audit
Risky auth code
Repo scans can find weak JWT assumptions, long-lived reset tokens, user-id trust, and missing server-side auth checks.
URL scan + audit
Dependency and package signals
Frontend bundles and repositories can reveal outdated packages or libraries tied to known vulnerabilities.
URL scan
Open redirects
Unsafe redirect parameters let attackers send users from your trusted domain to phishing pages.
URL scan
GraphQL introspection
A public schema can hand attackers a map of your API, object types, fields, and relationships.
URL scan
CSRF-prone forms
Forms that perform sensitive actions without CSRF protection can be abused through another website.
URL scan
Subdomain takeover signals
Dangling DNS records can let attackers claim an old service and host malicious content on your subdomain.
Full audit
Payment and report access mistakes
Paid content, webhooks, or reports protected only in the frontend can be accessed without a valid paid account.