Shipped something with Claude, Cursor, or v0 at 2am? We probe the things you probably forgot about. Verify ownership once, get a graded report in as little as 60 seconds.
Built for the generation that ships first and asks questions later.
50+ checks across 8 modules — and more added regularly. Most apps fail at least four on the first scan. That's fine — we tell you exactly which ones, in plain English, with fix priority.
HSTS, CSP, X-Frame-Options, the alphabet soup that decides whether a stranger can iframe your login screen.
Expired certs, weak cipher suites, outdated protocol versions. We run sslyze so you don't find out from your users.
API keys, tokens, and passwords committed to your repo history — then forgotten. We scan every commit, not just HEAD.
Publicly-readable tables and storage buckets with row-level security left off — the classic vibe-coded Supabase leak that hands strangers your data.
Login endpoints, reset flows, and public APIs. We probe to see if an attacker could hammer them without getting blocked.
API keys and tokens shipped in your front-end JavaScript bundle, plus a Nuclei sweep for thousands of known-vulnerability and exposure templates on deep scans.
You give us a URL. We do the rest. If you can paste a link, you can run a security audit.
Verify ownership with a single DNS TXT record or a meta tag. Takes about 90 seconds, only required for active scans.
50+ checks across 8 modules. Active mode probes your real endpoints — non-destructive, we never modify your data.
Each issue is rated by severity and reachability. We tell you what to fix first and copy-paste the exact code or config.
One free passive scan a month, no card required. Pay only if you want active probes, a public badge, or continuous monitoring on every deploy.
Passive scan, basic report. Good enough to know if you're actually in trouble.
Full active audit. The "I'm launching Tuesday and want to be sure" tier.
For sites under active development. Catches regressions before users do.
A real, verifiable badge for your landing page. Clicks through to a public report (the friendly version — fixed issues only, no juicy attack surface).
<a href="https://www.vibe-check-app.com/report/…/public">
<img src="https://www.vibe-check-app.com/api/badge/…/image"
alt="Vibe-Checked" height="34" />
</a>Drag, drop, deploy. We handle the rest — backend, scaling, auth, all the wires you don't want to think about.
You've already shipped. We're just asking if you'd like to know what's underneath.