Is your AI-built app leaking secrets?
Paste your URL. We read only what your site already shows the public — bundles, headers, exposed files — and tell you what an attacker would find first. Free, no login, about a minute.
We never log in, submit forms, or touch your database — that needs your verified permission. See a sample report.
What the free scan checks
Exposed secrets in your bundles
Stripe, OpenAI, Anthropic and AWS keys, private keys, and Supabase service-role tokens shipped to the browser — each validated by prefix, length and entropy (and screened against known demo keys) before we ever call it critical.
Reachable config & repo files
Whether /.env, /.git or config.json are served to the public — confirmed to be the real file, not a single-page-app catch-all that returns HTML for everything.
Missing security headers
Gaps in Content-Security-Policy, HSTS, X-Frame-Options and X-Content-Type-Options on your live responses.
Credentialed CORS wildcard
Access-Control-Allow-Origin: * combined with credentials — a configuration that hands any site your authenticated responses.
Production source maps
A sourceMappingURL left in shipped JavaScript, which re-exposes your original, un-minified source to anyone.
HTTPS / TLS transport
We read your site only over its live, certificate-validated HTTPS connection — and a missing HSTS header that would weaken it is flagged above.
No false alarms. Supabase anon keys and Firebase web config are public by design — we never flag their mere presence as critical. Whether your access rules are actually open is provable only by an authorized active scan.