Product · Scanner

See what's broken in your live app before someone else does.

VAS scans deployed web apps for the security issues AI coding tools commonly ship — exposed keys, missing RLS, broken auth, weak headers. Results in minutes, with copy-paste fixes for Cursor, Claude, and Lovable.

Run a scanSee a sample report
  • 100+ checks across headers, auth, secrets, RLS, and CORS
  • Non-invasive — safe to run on production
  • AI-ready fixes you paste into Cursor/Claude
  • Works with Lovable, Bolt, v0, Replit, Cursor
Scan · example.comLive
  • Exposed Supabase service_role keyCritical
  • RLS missing on `profiles` tableCritical
  • Missing CSP headerHigh
  • Cookies without Secure flagMedium
  • X-Frame-Options presentOK

14 checks · 2 critical · 1 high · 1 medium

How it works

3 steps to your first result.

  1. 1

    Drop in a URL

    Point VAS at any deployed app. No auth, no install, no agent.

  2. 2

    We scan, you wait 2–25 min

    Headers, secrets, RLS, auth flows, IDOR, CORS, mixed content, and more.

  3. 3

    Get a report with fixes

    Every finding includes severity, evidence, and a copy-paste fix for your AI tool.

What you get

Exposed secrets

Detects API keys leaked into JS bundles (Supabase service_role, OpenAI, Stripe live keys, AWS).

Database security

Tests actual Supabase RLS — which tables anonymous users can read, write, or delete.

Auth flows

Checks for IDOR, broken session handling, missing rate limits, and weak password policies.

Headers & CSP

Audits CSP, HSTS, X-Frame-Options, COOP, COEP, Permissions-Policy, and cookie flags.

Endpoint discovery

Crawls your app to find exposed admin routes, debug endpoints, and unprotected APIs.

AI-ready fixes

Each finding includes a Markdown fix block formatted for Claude, Cursor, or Windsurf to apply.

Frequently asked

Is it safe to run on a production app?
Yes. VAS only performs read operations. No exploit attempts, no data modification, no destructive testing.
How long does a scan take?
Starter Scan finishes in 2–3 minutes. Deep Scan covers more (authenticated routes, crawling, IDOR) and takes 20–25 minutes. You get an email when it's ready.
Which platforms work?
Any deployed web app — built with Lovable, Bolt, v0, Replit, Cursor, or by hand. Backed by Supabase, Firebase, or your own stack. If it's reachable over HTTPS, we can scan it.
What does a fix actually look like?
A copy-paste block: the exact code change, what to check first, when not to apply it, and whether it's safe to ship blindly. Designed for AI tools to read and apply directly.

Find what's broken — before someone with worse intentions does.

Run a scanSee a sample report