Scanning live · 4 sites checked

Your app passed the vibe check.
But did it pass a security check?

Shipped something with Claude, Cursor, or v0 at 2am? We probe the things you probably forgot about. Verify ownership once, get a graded report in as little as 60 seconds.

https://
Scan now
◯ Free scan ~60 s · active 2–3 min · deep up to 7 min◯ Ownership verified once, then you're done◯ Non-destructive · we never modify your data
built for the
"ship first, ask later"
generation

Built for the generation that ships first and asks questions later.

18 scans run
! avg 8.3 vulnerabilities found
6 repo scans run
🔑9 secrets caught
~ free scan in ~60s
$ from $0, no card needed
vercel deploysnext.js appssupabase backendsstripe checkoutsclerk authrailway servicesopenai wrappersanthropic agentsfly.io edgescloudflare workersvercel deploysnext.js appssupabase backendsstripe checkoutsclerk authrailway servicesopenai wrappersanthropic agentsfly.io edgescloudflare workers
What we check

The boring stuff your AI didn't think about.

50+ checks across 8 modules — and more added regularly. Most apps fail at least four on the first scan. That's fine — we tell you exactly which ones, in plain English, with fix priority.

SSL

SSL & security headers

HSTS, CSP, X-Frame-Options, the alphabet soup that decides whether a stranger can iframe your login screen.

strict-transport-securitycontent-security-policy
TLS

TLS & certificate health

Expired certs, weak cipher suites, outdated protocol versions. We run sslyze so you don't find out from your users.

cert expirycipher suitesprotocol versions

Git secret scanning

API keys, tokens, and passwords committed to your repo history — then forgotten. We scan every commit, not just HEAD.

full historystripe keysaws credentials
DB

Exposed Supabase backend

Publicly-readable tables and storage buckets with row-level security left off — the classic vibe-coded Supabase leak that hands strangers your data.

rest tablesstorage bucketsmissing RLS

Rate limiting

Login endpoints, reset flows, and public APIs. We probe to see if an attacker could hammer them without getting blocked.

login brute-forcereset abuseapi throttling
KEY

Leaked secrets & known CVEs

API keys and tokens shipped in your front-end JavaScript bundle, plus a Nuclei sweep for thousands of known-vulnerability and exposure templates on deep scans.

js bundle keysnuclei templatesknown cves
How it works

Three steps. No setup. No SDK to install.

You give us a URL. We do the rest. If you can paste a link, you can run a security audit.

STEP 01

Paste your URL.

Verify ownership with a single DNS TXT record or a meta tag. Takes about 90 seconds, only required for active scans.

https://my-app.com
domain verified✓ OK
STEP 02

We probe, test, simulate.

50+ checks across 8 modules. Active mode probes your real endpoints — non-destructive, we never modify your data.

tls/hstsPASS
csp policyFAIL
rate limitingFAIL
secrets scanPASS
nuclei templatesrunning…
STEP 03

Get a prioritized fix list.

Each issue is rated by severity and reachability. We tell you what to fix first and copy-paste the exact code or config.

P0Supabase table exposed
P1Missing CSP header
P1No rate limiting on login
P2X-Frame-Options missing
P3Server header leaks
Pricing

One-off audit, or always-on. Your call.

One free passive scan a month, no card required. Pay only if you want active probes, a public badge, or continuous monitoring on every deploy.

Free
$0

Passive scan, basic report. Good enough to know if you're actually in trouble.

  • Passive HTTP header analysis
  • Security headers & TLS checks
  • 1 URL, 1 scan per month
  • Plain-text report (web only)
  • No badge, no PDF, no monitoring
Run free scan →
One-off most picked
$15/ scan

Full active audit. The "I'm launching Tuesday and want to be sure" tier.

  • Active-mode checks: backend exposure, leaked secrets, rate-limiting
  • Shareable HTML report + PDF export
  • "Vibe-Checked ✓" badge, valid 30 days
  • 1 URL, 1 successful scan included
  • 30-day unlock — reverts to Free afterward
Buy a scan →
Monitoring
$35/ month

For sites under active development. Catches regressions before users do.

  • Everything in One-off, unlimited scans
  • GitHub integration for repo secret scanning
  • Deploy-triggered re-scans via webhook
  • Email alerts on completed scans
  • Badge renewed on each re-scan
  • Up to 5 URLs, 5 connected repos
Start monitoring →
The badge

Show your users you actually checked.

A real, verifiable badge for your landing page. Clicks through to a public report (the friendly version — fixed issues only, no juicy attack surface).

Vibe-Checkedv1 · jun 2026Vibe-CheckedGrade A · 2026
drop-in snippet:
<a href="https://www.vibe-check-app.com/report/…/public">
  <img src="https://www.vibe-check-app.com/api/badge/…/image"
       alt="Vibe-Checked" height="34" />
</a>
https://acme-app.com
▲ acme

The fastest way to ship what's in your head.

Drag, drop, deploy. We handle the rest — backend, scaling, auth, all the wires you don't want to think about.

Get started →See demo
Vibe-Checked
▼ Last thing

Ship with confidence.
As little as 60 seconds.

You've already shipped. We're just asking if you'd like to know what's underneath.

https://
Scan now
◯ Free scan◯ Verify once, scan anytime◯ as little as 60 s