Security checks
Every check, one scan.
VibeSafely runs 26 checks across 7 categories in a single read-only pass — from Supabase RLS and secrets in your bundle to SEO, AEO, accessibility and uptime — each finding with a copy-paste fix.
Supabase RLS off — unauthorized data read
Confirms whether your Supabase tables actually return rows to the anon key — the #1 vibe-coded leak — instead of just checking that Row-Level Security is declared.
Supabase Storage publicly accessible
Checks Supabase Storage buckets for public listing and unauthenticated object reads.
Firebase open security rules / exposed config
Detects world-readable Firebase config and permissive Realtime Database security rules.
Firestore open security rules (public read)
Probes Firestore for `allow read` rules that expose collections to any visitor.
Hardcoded secrets in client bundle
Scans the shipped JavaScript bundle for API keys, tokens and service-role secrets baked into the browser.
Exposed source maps
Finds `.map` files that republish your original source — comments, secrets and all — in production.
Exposed sensitive files
Looks for `.env`, `.git`, backups, dumps and config files left reachable on the host.
Verbose error / stack-trace disclosure
Triggers safe error paths to catch stack traces and framework internals leaking to users.
Exposed debug / admin endpoints
Finds debug routes, admin panels and dev tooling left mounted in production.
JWT signed with a weak/default secret
Tests JSON Web Tokens for weak or default signing secrets that let anyone forge a valid session.
Next.js middleware auth bypass (CVE-2025-29927)
Checks for the header trick that skips Next.js middleware authentication entirely.
Insecure cookie flags
Audits session cookies for missing Secure, HttpOnly and SameSite protections.
Open redirect
Finds redirect parameters attackers can point at phishing or token-stealing destinations.
CORS misconfiguration
Detects permissive CORS (reflected origins, wildcard with credentials) that exposes authenticated APIs.
Insecure credential form
Flags password forms that submit over plain HTTP or to a third-party origin, leaking credentials in transit.
Missing security headers
Grades CSP, HSTS, X-Frame-Options, X-Content-Type-Options and friends against best practice.
GraphQL introspection exposed
Detects publicly enabled GraphQL introspection that hands attackers your full schema.
Missing Subresource Integrity (SRI)
Flags third-party scripts and styles loaded without an integrity hash — a supply-chain risk if the CDN is compromised.
Subdomain takeover
Looks for dangling DNS pointing at unclaimed services an attacker could register and take over.
Email spoofing protection (SPF/DMARC)
Checks SPF, DKIM and DMARC so attackers can't send mail as your domain.
SEO scanner
Grades indexability, metadata, structured data and crawlability so search engines can rank you.
AEO scanner (AI visibility)
Checks whether AI answer engines — ChatGPT, Claude, Perplexity — can crawl, parse and cite your site.
Accessibility (WCAG)
Runs axe-core WCAG 2.x checks across structure, forms, navigation and media.
Performance & Core Web Vitals
Measures TTFB, FCP, LCP and page weight from a real headless page load.
Availability
Confirms the site is reachable and responding, flagging downtime and server errors.
Privacy & tracking
Flags third-party trackers, data sharing and missing privacy / cookie-consent signals.
Run every check in 30 seconds.
Paste your URL and get a complete report — every finding with a copy-paste fix prompt for your AI editor.