Find what's leaking in your app — before someone else does.
Free security scanner for vibe-coded and self-hosted apps. Paste a URL — see your grade and which categories are leaking in 30 seconds, no signup. Full evidence (real keys, leaked rows) unlocks with Pro.
In Protect Your Vibes
Live platform stats
Built for devs who ship fast
Every check produces real evidence you can act on. No redacted teasers. No false positives padding the report.
30 seconds to your first finding
Paste your URL
Drop the link to your app. We auto-detect the platform.
Get evidence
Passive scan runs in seconds. Findings include real proof, not vague warnings.
Fix, verify, re-scan
Each finding ships with a fix. Rescan to confirm it's gone.
Why Protect Your Vibes?
| Protect Your Vibes | Most scanners | |
|---|---|---|
| Real evidence — full keys, leaked rows, .env contents | YesPro | Noalways redacted |
| Daily monitoring + email alerts on new leaks | YesPro | Enterprise tier |
| Exportable findings reports (PDF + JSON, OWASP-mapped) | YesPro | Enterprise tier |
| Copy-paste fix prompts for Cursor / Claude / Copilot | YesPro | No |
| AI-stack coverage (Lovable, Bolt, v0, Base44) | YesFree + Pro | No |
| Passive scan — no signup, no card | YesFree + Pro | Trial only |
| What it costs you | $0 – $99/yr | $200+/mo |
Sometimes the real fix is bigger than a finding
The deepest vulnerability isn't a leaked API key. It's building your business on infrastructure you don't own — one ToS update, one price hike, one acquisition away from losing everything.
I was paying Base44 $900/month to host an app I built myself. Today I pay $200/month for the same app on infrastructure I own.
One-time migration: $2,500. Break-even in 3.5 months. Year-2+ savings: $8,400/year, every year. Delivered in 7 days.
Best fit: paying $300+/mo to Lovable, Bolt, Base44, or Bubble. Not for hobby projects.
What vibe coders are saying
Questions
Is it legal to scan a site I don't own?
Yes — passive scans only read what's publicly linked, same as Google. No different from someone visiting your homepage with browser devtools open. Aggressive probes require you to prove ownership via DNS TXT or file upload.
What counts as a passive scan?
GET-only requests to your homepage, the JavaScript it links to, DNS records, and a small list of well-known public paths (like /.env, /robots.txt, common API routes). Zero POST/PUT/DELETE. Zero brute-force enumeration of your custom routes. Zero database write or auth attempts.
How do I unlock deeper scans?
Verify domain ownership on /verify-domain — add a DNS TXT record or upload a file. Takes 2 minutes. Then the scanner runs endpoint enumeration, GraphQL introspection, and samples up to 100 rows from exposed tables.
Can I use this for client work?
Yes, if they own the domain and verify it on their own account. Don't scan strangers' apps at deeper tiers — that's what the ownership gate prevents.
Do you store the leaked data I find?
Evidence values stay in your scan result for 30 days, then a daily cron auto-purges them (we keep the finding metadata for trends, drop the actual leaked values).
What data sources do you support?
Supabase, Firebase, Bubble, Base44, PocketBase, AppWrite, Convex, Neon, PlanetScale, Turso, Redis, Airtable, MongoDB, and any custom REST/GraphQL API that leaks data.
Find what's leaking — in 30 seconds.
Free scan + grade. No card, no signup. Pro unlocks the full evidence (real keys, leaked rows, exact .env contents) and daily monitoring.