Security for websites
in seconds.
Security, SEO & AI visibility in one free scan — only pay if you have issues.
Use as an MCP server
Beyond security scanning.
CheckVibe monitors your entire web presence — security, visibility, performance, and uptime in one dashboard.
Your own public uptime site
NEWBig companies have status.company.com — now you do too. CheckVibe pings your site every 60 seconds and hosts a public uptime page you can share with customers.
- Checks every 60 seconds, 24/7
- Public status page you can share
- Incident timeline & uptime history
Live threat detection
Watch attacks hit your site as they happen — credential stuffing, scraping, and prompt-injection probes, streamed to a live feed.
- Real-time attack feed
- Attacker IP intelligence
- Instant email alerts
AI-ready fix prompts
Every finding ships with a drop-in prompt you can paste into Claude, Cursor, or any AI agent. Fix shipped code in minutes, not days.
- Copy-paste prompt on every finding
- Tuned for Claude, Cursor & Windsurf
- Re-scan to confirm the fix landed
The id param is interpolated straight into the query — switch it to a parameterized statement so the driver escapes input. Handler: src/api/user.ts.
Built for speed
Scan 100+ checks in under 30 seconds. No installs, no configs, no agents — point CheckVibe at a URL and start shipping fixes.
- 100+ checks in under 30 seconds
- Zero setup — just paste a URL
- Free first scan, no credit card
Every pillar of a healthy site.
A security foundation that compounds.
From the scanner to the fix loop, every layer of CheckVibe is tuned so small teams can keep up with the surface area they ship — security, SEO, and AI answer-engine visibility in one place.
Agent-native output
Every finding ships with a copy-paste prompt engineered for Claude Code, Cursor, and Windsurf.
BaaS-aware
Understands Supabase, Firebase, and Clerk — no more guessing whether an exposed key matters.
MCP server & integrations
Export to GitHub Issues, Linear, and Slack — or run scans from any AI agent over the Model Context Protocol.
Full-site crawling
Discovers subdomains, SPA routes, and background endpoints so nothing slips through the cracks.
“We ship a consumer app, so a leaked token isn’t an abstract CVE — it’s real money walking out the door. CheckVibe runs on every deploy now, and the fix prompts usually close the gap before anyone on the team even sees the alert.”
Tim Fresenius, CTO
“Half our product is creator analytics, so a leak of subscriber data would genuinely end us. CheckVibe flagged three Supabase RLS policies we’d left wide open — we pasted its fixes straight into Cursor and shipped the patch that same afternoon. I don’t want to think about how long that would’ve sat there otherwise.”
Jamie Schärli, Agency Lead
“We host hundreds of customer projects, so security is non-negotiable. CheckVibe gave us a clear picture of where the real risks were and made it easy to act on them. The team responds quickly and is constantly building new features — it’s a very exciting tool that has become part of our standard workflow.”
Niels van der Velden, Founder, Natuurlijk! Hosting
Built a waitlist app over a weekend, fully vibe-coded. Ran a scan before launch and it caught my Supabase service-role key sitting right in the client bundle — had no clue it was even there. Pasted the fix into Cursor and it was gone in ten minutes.
Cursor writes most of my code and I kind of just assume it works. I had no real way to tell if any of it was secure. Scan came back with four criticals, I fed the fix prompts straight back to Cursor, and they were gone by the next deploy.
A client wanted a security sign-off before launch and I quietly panicked — not really my area. Ran their site through CheckVibe, it surfaced wide-open Firebase rules and a missing CSP header, both fixed within the hour. They think I’m a security expert now. I’m really not.
We ship client MVPs on brutal deadlines, mostly vibe-coded. A scan is now the last thing we do before handoff, and it has flagged something on basically every project. I wish that were an exaggeration.
Put a little “scanned by CheckVibe” line in our footer almost as a joke. Two enterprise leads brought it up on sales calls, unprompted, and said it’s part of why they trusted us. Didn’t expect a scanner to help close deals.
Went in assuming it was another GPT wrapper that finds nothing real. First scan flagged a SQL injection on an endpoint I’d shipped weeks earlier. Genuinely humbling. Nothing goes out the door now without a scan first.
Frequently asked questions
What does CheckVibe do?
CheckVibe scans your website with 100+ security checks — exposed API keys, SQL injection, XSS, misconfigured headers, weak SSL/TLS, BaaS misconfigurations, and more: the same classes of risk tracked in the OWASP Top 10. It also grades your visibility (68 SEO checks and 46 AEO checks that show how Google ranks you and how AI answer engines cite you) and your site health: Core Web Vitals performance, accessibility, email deliverability, and domain hygiene. You get a report in 30 seconds with remediation guidance for each issue.
Does CheckVibe monitor uptime?
Yes. Projects can enable uptime monitoring with external checks every 60 seconds, incident tracking with down and recovery email alerts, and a public status page showing live state, 90-day history, and uptime percentages. It runs alongside scheduled security re-scans and Core Web Vitals regression alerts, so availability, speed, and security live in one dashboard.
What is AEO (Answer Engine Optimization)?
AEO is the practice of making your site readable, quotable, and trustworthy to AI answer engines — ChatGPT, Claude, Perplexity, Google AI Overviews, and Copilot. Where SEO earns you a ranking on a results page, AEO earns you the citation inside the AI’s answer — what the Princeton GEO study calls generative engine optimization. That means letting AI crawlers like GPTBot and ClaudeBot access your pages, serving content that works without JavaScript, using clear headings and schema.org markup the models can lift answers from, and publishing trust signals (authorship, dates, sources). CheckVibe runs 46 AEO checks, including a per-engine access matrix, so you can see exactly which assistants can see you.
What do the SEO & AEO scans check?
The SEO scan runs 68 checks across indexability (robots, canonicals, sitemaps), on-page metadata, structured data, content quality, internal linking, and real-user Core Web Vitals. The AEO scan runs 46 checks across AI crawler access, content extractability, readability, structured data depth, and trust signals — plus an engine-by-engine matrix for ChatGPT, Claude, Perplexity, Google AI, Copilot, Meta AI, and Mistral. Every failed check ships with a fix prompt, same as security findings.
Do I need to know about security?
Not at all. Every issue comes with a fix prompt and prioritized guidance, so you can work through the fixes without security expertise.
How does the fix prompt work?
Each vulnerability in your report includes a ready-to-use remediation prompt with the issue, severity, evidence, and recommended code-level changes.
How much does it cost?
Scans are free — you only pay if issues are found and you want the full report. Starter unlocks fix prompts, more scans, and API access. Pro adds more projects, live threat detection, and priority support. Annual billing saves 30%.
Can I try it first?
Yes. Enter your URL on the homepage to run a scan. You will see how many issues your site has and their severity levels. Upgrade to see the full details and fix prompts.
