New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
35 scanners covering 100+ individual checks — SQLi, XSS, exposed keys, BaaS misconfigs, SSL/TLS, and more. Each finding ships with an AI-ready fix prompt.
Detect SQL injection vulnerabilities in your web application before attackers exploit them.
Find XSS vulnerabilities that could let attackers inject malicious scripts into your pages.
Check if your site has the right HTTP security headers to prevent common attacks.
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
Verify your SSL/TLS configuration, certificate validity, and encryption strength.
Detect dangerous CORS policies that could allow unauthorized cross-origin access.
Check if your forms and API endpoints are protected against cross-site request forgery.
Audit cookie flags, session management, and token security for your application.
Test your login, signup, and password reset flows for common security weaknesses.
Verify DNS configuration, SPF, DKIM, DMARC records, and domain security.
Find URL redirect vulnerabilities that attackers use for phishing campaigns.
Audit your GraphQL API for introspection leaks, injection, and query complexity attacks.
Analyze JSON Web Tokens for weak algorithms, key exposure, and implementation flaws.
Identify your technology stack and check for known vulnerabilities (CVEs).
Check if your domain or IP appears on blocklists, malware databases, or threat feeds.
Check for privacy policy, cookie consent, terms of service, and GDPR compliance indicators.
Evaluate your site's resilience against distributed denial-of-service attacks.
Test file upload endpoints for unrestricted uploads and remote code execution risks.
Verify that security events are properly logged and monitored in your application.
Check API endpoints for proper rate limiting and abuse prevention on mobile-facing APIs.
Detect subdomain takeover vulnerabilities and domain registration security issues.
Find exposed debug routes, admin panels, and development endpoints left in production.
Test form fields and API inputs for proper validation and sanitization.
Audit Vercel-specific security settings, headers, and deployment configuration.
Check Netlify-specific security configuration, headers, and deployment settings.
Audit Cloudflare configuration, WAF settings, and CDN security features.
Scan your project dependencies for known vulnerabilities and outdated packages.
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
Check Firebase Security Rules, authentication settings, and Firestore/RTDB access controls.
Scan your GitHub repository for leaked secrets, misconfigured Actions, and supply chain risks.
Detect JWTs, refresh tokens, and session identifiers stored in localStorage or sessionStorage.
Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.
Find webhook handlers that appear to trust provider events without verifying signatures.
Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.
Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.
Paste your URL and get a complete security report with AI-ready fix prompts for every finding.
Scan your site free