Is your vibe-coded site safe to ship?

Paste your URL. In seconds you get a Ship-Safe Score and every real problem your AI agent left behind, from exposed API keys to missing security headers, each with a copy-paste fix prompt. Free, no signup to scan.

Scan your site

Free. No signup. We never attack your site or ask you to upload anything.

This is a free website security scanner built for people shipping AI-generated code. It reads what your site already exposes publicly (no attacks, no uploads) and reports exposed API keys and secrets, missing security headers, weak TLS, unsafe cookies and CORS, exposed files, and email DNS gaps, plus a Slop Score for copy that reads AI-made. Every finding is shown in full, free, with a fix prompt you can paste into Claude Code or Cursor.

What it checks

Around 20 passive checks tuned for AI-generated code. No attacks, no uploads.

Secrets and keys

  • CriticalExposed API keys and secretsLive Stripe, OpenAI, AWS, GitHub, and SendGrid keys left in your HTML or JavaScript bundles, where anyone can copy them.
  • CriticalSupabase service_role key exposureThe single worst vibe-coding leak: we decode JWTs and flag a service_role key in the browser, which bypasses all your database security.
  • CriticalHardcoded JWTs and private keysSession tokens and private key blocks shipped in client code.

Headers and transport

  • ConfigurationSecurity headersCSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy, graded the way securityheaders.com does.
  • TransportHTTPS and TLS certificateExpired, self-signed, or legacy-protocol certificates, and whether http redirects to https.
  • TransportMixed contentInsecure http resources loaded on a secure https page.

Cookies, CORS, and exposure

  • ConfigurationCookie security flagsSession cookies missing HttpOnly, Secure, or SameSite.
  • VulnerabilityCORS misconfigurationA wildcard cross-origin policy combined with credentials.
  • VulnerabilityExposed filesA publicly reachable .env, .git directory, or macOS .DS_Store, verified by content not just status code.
  • ConfigurationSource maps in productionBuild maps that hand out your original, unminified source.

DNS, email, and slop

  • InfrastructureEmail DNS (SPF, DMARC, CAA)Records that stop others spoofing email from your domain, and limit who can issue your certificates.
  • InfrastructureVersion disclosureServer headers that advertise exact software versions.
  • SlopSlop ScoreThe tells that give away AI-written copy: em-dash pileups, buzzword phrasing, leftover placeholder text, and missing metadata.

We show you everything. Free.

No "upgrade to see your criticals." The findings are yours. One email gets you the report and the all-in-one fix prompt.

Free, no account

  • Your Ship-Safe Score and letter grade
  • Your Slop Score
  • Every finding, named and explained in plain English
  • A sample copy-paste fix prompt for your top issues

One email unlocks

  • The full report, emailed to you
  • A single copy-paste fix prompt for every finding
  • A record you can re-scan against later

The kit fixes the cause

  • Makes your AI agent ask before it builds
  • Stops it shipping keys and slop in the first place
  • The prevention, not just the patch

Common questions

Is the scan really free?

Yes. Every finding is shown in full on the page, free, with no account. We never hide what we found behind a paywall. One optional email gets you a downloadable report and a single fix prompt for every issue at once.

Do you attack my site?

No. The scanner is passive. It reads only what your site already returns to any visitor: response headers, your public HTML and JavaScript, TLS certificate details, and public DNS records. It never sends attack payloads, tries to log in, or probes for injection. It also never asks you to upload anything.

What is the Ship-Safe Score?

A 0 to 100 security score with a letter grade, weighted by how serious each finding is. A well-configured site can and should score in the A range. There is no manufactured panic here: a clean result is reported as clean.

Why does it care about AI slop?

Because this scanner is built for AI-generated sites, and AI-written copy has tells that reviewers and customers notice: em-dash pileups, buzzword phrasing, and leftover placeholder text. The Slop Score is a separate score so you can see both how safe and how human your site reads.

What is the single most important thing it finds?

Exposed secrets, especially a Supabase service_role key or a live payment or AI provider key sitting in your frontend code. This is the most common and most damaging mistake in vibe-coded apps, and it is exactly what the scanner is tuned to catch.

How is this different from checkvibe or other scanners?

Three ways. Every finding is free, not just the count. Each fix prompt is written to make your agent work carefully, one change at a time. And every finding links back to the cause: the workflow that made your agent ship it, and how the kit prevents it next time.