Passive and read-only. We read what your site already ships. We never log in or touch your data.

Is your AI-built app leaking secrets?

AI coding tools wire secret keys straight into your frontend to make a feature work, and that key ships to every visitor. This scanner reads your live site for exposed API keys, downloadable .env and .git files, and missing security headers, then hands you the fix.

Free score, about half a minute, no card. The full report unlocks with a free account.

Or skip the field

What the scanner looks for

Four classes of the mistakes that ship most often in fast-built apps. It reads only what your site already sends to a browser, so there is nothing to install and nothing to break. You get a score, the single worst issue free, and the full breakdown behind a free account.

  • Exposed secrets: Stripe, OpenAI, Anthropic, AWS, Supabase and GitHub keys shipped to the browser.
  • Open files: downloadable .env, .git, backups and source maps.
  • Security headers: missing CSP, HSTS, clickjacking and MIME-sniffing protection.
  • Data-access signals: Supabase RLS and Firebase rules to verify before they bite.

How it works. A careful reader, not an intruder.

No attacks, no logins, no writes. Just a thorough read of what you already ship, scored honestly.

STEP 01

We read your page

Paste your URL. We fetch your public page the way a browser does and read your HTML, inline scripts and first-party JavaScript for keys that should never be there.

STEP 02

We check the obvious doors

We request a short list of well-known filenames, like .env and .git, and grade your security headers. Any secret we find is redacted on the spot, never stored.

STEP 03

You get the fix

A 0 to 100 score, every finding with its exact location, and a copy-paste prompt to fix each one, plus one brief that covers them all. Rotate, move server-side, done.

The score is free. The fix is the reason to unlock.

See where you stand and your most serious issue at no cost. Unlock the full report to see every finding and exactly how to fix it.

Free, no card

Your score and worst issue

  • Your security score, 0 to 100, with a plain-language verdict.
  • A count of findings by severity (critical to info).
  • Your single most serious issue, redacted and explained.
  • No card, no signup, just the score.
Free account

The full report and every fix

  • Every finding, with the exact file or header it's in and why it matters.
  • Your security-header grade, header by header, against the Observatory model.
  • A copy-paste Claude fix prompt for each finding, plus one master brief.
  • Saved to your account so you can re-scan after fixing and watch the score climb.
Get my security score →

Free score and your worst issue, no card. Unlock the full report with a free account.

Rather have it fixed for you?

The report hands you a prompt for every fix, that's the DIY route. If you'd sooner not touch it, I'll do it: rotate the exposed keys, lock down the open files, harden your headers, and hand you back a clean re-scan.

Book a fix →

A done-for-you fix, scoped to your site, from £249. Tell me what the scan found and I'll reply with a fixed price.

Shipping fast is great. Shipping your keys is not.

The speed of AI-built software has a shadow: the same tools that ship a feature in minutes will ship a secret to the browser just as fast. This isn't hypothetical, it's already happening at scale.

CVE-2025-48757
a disclosed vulnerability where AI-built apps shipped with their database access rules (RLS) missing, exposing user data through the public keyNVD CVE record, disclosed 2025
5,600
AI-built web apps scanned in one study; it surfaced 2,000+ vulnerabilities and 400+ exposed secrets in live production sitesEscape.tech study, 2025
1.5M
API keys exposed by a single vibe-coded app when its database key shipped in the browser code with no access rules behind itWiz research (Moltbook), 2026

How it compares to the alternatives.

Most security tools are built for engineers with a config file and a CI pipeline. This one is built for the person who shipped an app with Claude and just wants to know if it's safe.

  Security Scanner Enterprise scanner Header checker Doing nothing
Finds exposed API keys in your frontend Yes, redacted Sometimes, with setup No No
Runs on a live URL, nothing to install Yes, paste a URL No, needs CI/config Yes
Checks open files (.env, .git, backups) Yes, content-verified Partly No No
Hands you a copy-paste fix Yes, per finding No, raw findings No No
Cost Free From £100s/mo Free Free until it isn't

A fast first pass, not a penetration test.

This is a passive scan: it reads what your site ships to a browser and checks the doors that are usually left open. A clear result is a good sign, not a guarantee, a secret loaded only into your rendered app, or a flaw on your server, can still slip past. It is the first check every fast-built app should pass, done in half a minute, not the last word on your security. Fix what it finds, then keep going.

Joshua Snoddy

Who's behind it

I'm Josh Snoddy. I'm a marketer who builds real software live with Claude, and I've shipped the exact mistakes this tool catches, so I built the tool to catch them. It reads only what a site already publishes, redacts every secret the instant it sees one, and tells you plainly what to rotate and where.

I run it on my own apps before I put it in front of yours. It won't attack your site or store your keys. It hands you the findings and a fix for each, in the order I'd tackle them.

Updated July 2026. Built live with Claude.

Questions people ask.

It runs a passive, read-only scan of your live page: exposed API keys and secrets in your HTML, inline scripts and first-party JavaScript; downloadable sensitive files like .env and .git; and your security headers (CSP, HSTS, clickjacking protection and more). It also flags Supabase Row Level Security and Firebase rules for you to verify. It never logs in, submits a form, or touches your database.

Yes. The scan is passive and read-only. It fetches your public page the same way a browser does, reads the code you already ship, and requests a short list of well-known filenames. It performs no attacks, no logins, no form submissions and no writes. Think of it as a careful reader, not an intruder.

AI coding tools happily wire a secret key straight into your frontend to make a feature work. That key then ships to every visitor's browser. It is one of the most common mistakes in vibe-coded apps: a Stripe secret key, an OpenAI key or a Supabase service_role key sitting in the code anyone can read. The scanner finds these before someone else does.

No. When a secret is detected it is redacted immediately to a short fingerprint (the first and last few characters). The raw value is never stored, never returned to your browser, and never logged. You get enough to find it in your code, and nothing an attacker could use.

No, and it does not pretend to be. It is a fast first pass over what your site ships to the public: exposed secrets, open files and missing headers. A clear result is a good sign, not a guarantee. A secret loaded only into the rendered app, or a server-side flaw, can still slip past a passive scan. Treat it as the first check, not the last.

The score and your single most serious issue are free, no card. The full report, with every finding, its exact location, your header grade and a copy-paste fix for each, unlocks with a free account (a one-click email login). No password, no payment.

Every finding comes with a paste-ready prompt you can hand to Claude or your AI editor to fix it, plus one consolidated brief that covers them all. If a secret was exposed, treat it as compromised: rotate it and move it server-side. Or have it fixed for you.

Find out what you're shipping. Before someone else does.

It takes about half a minute. You'll see your score and your most serious issue, free, before your coffee's cold.

Scan my site →

Free to see your score and worst issue. The full report and every fix open with a free account.