VibeArmor.ai
Free Scan
20 AI-powered security checks in 3 minutes

Your AI built the code.
Our AI protects it.

Find critical security holes in 3 minutes. Paste a URL. Get your score.

No signup required. Results in 3 minutes.

Built with Claude Code? Cursor? Lovable? Bolt? We scan them all.

Claude Code
Cursor
Lovable
Bolt
v0
Windsurf
Replit

Three steps to secure code

No agents to install. No code access needed. Just a URL.

01
Paste your URL

Drop in any live URL or staging link. We accept Vercel previews, Netlify deploys, Railway apps, or any public endpoint.

02
20 AI-powered checks run

Our scanner probes authentication, headers, secrets exposure, injection vectors, dependencies, access control, and more.

03
Get your score + fix list

A scored report with severity rankings, one-line explanations, and copy-paste code fixes for every issue found.

20 security checks, every scan

Organized by severity. Every check generates actionable fix instructions.

CRITICAL5 checks

Exposed API Keys & Secrets

Service role keys, API tokens, or credentials in client bundles

SQL / NoSQL Injection

Unsanitized user input reaching database queries

Authentication Bypass

Missing or broken auth on protected routes and API endpoints

Remote Code Execution

Eval, exec, or dynamic code paths exploitable by user input

Broken Access Control

IDOR, privilege escalation, or missing authorization checks

HIGH5 checks

Missing Rate Limiting

No throttling on auth, payment, or API routes

Insecure Direct Object Reference

User-controlled IDs accessing other users' data

Cross-Site Scripting (XSS)

Unescaped user content rendered in the browser

Insecure File Uploads

No validation on file type, size, or storage location

Broken Session Management

Predictable tokens, no expiry, or missing rotation

MEDIUM5 checks

Missing Security Headers

No CSP, HSTS, X-Frame-Options, or CORS misconfiguration

Verbose Error Messages

Stack traces or internal paths leaked to users

Insecure Dependencies

Known CVEs in npm/pip packages

Missing Input Validation

No schema validation on API request bodies

Weak Cryptography

MD5/SHA1 for passwords or hardcoded encryption keys

LOW5 checks

Missing robots.txt / sitemap

Admin panels or staging routes discoverable by crawlers

Cookie Security Flags

Missing HttpOnly, Secure, or SameSite attributes

Information Disclosure

Server version, framework, or debug info in responses

Subresource Integrity

CDN scripts loaded without SRI hash verification

DNS & TLS Configuration

Weak cipher suites or missing CAA records

Example scan result

Here is what a typical vibe-coded app looks like after a VibeArmor scan.

vibearmor scanmy-saas-app.vercel.app
2m 47s
34/100

High Risk

3 Critical2 High4 Medium1 Low

This application has serious security vulnerabilities that should be fixed before going to production.

findings
CRITICAL

Exposed Supabase service_role key in client bundle

Your SUPABASE_SERVICE_ROLE_KEY is embedded in the client-side JavaScript bundle at /static/js/main.chunk.js. This grants full database access to anyone who views your page source.

How to fix

Move the service_role key to server-side only. Use the anon key for client-side Supabase calls and handle privileged operations in API routes or edge functions.

CRITICAL

No rate limiting on /api/auth endpoints

The /api/auth/login and /api/auth/register endpoints accept unlimited requests. An attacker can brute-force credentials or create thousands of accounts.

How to fix

Add rate limiting middleware (e.g., upstash/ratelimit) to all auth endpoints. Limit to 5 attempts per minute per IP.

CRITICAL

SQL injection in search parameter

The /api/products?search= parameter is concatenated directly into a SQL query string without parameterization.

How to fix

Use parameterized queries or an ORM. Replace string concatenation with prepared statements.

HIGH

Missing Content-Security-Policy header

No CSP header is set, allowing inline scripts and connections to any origin. This enables XSS attacks to exfiltrate data.

How to fix

Add a Content-Security-Policy header in next.config.js or middleware. Start with a strict policy and whitelist needed origins.

HIGH

IDOR on /api/users/[id] endpoint

Any authenticated user can access other users' data by changing the ID parameter. No ownership verification is performed.

How to fix

Compare the requested resource's owner_id against the authenticated user's ID before returning data.

MEDIUM

3 dependencies with known CVEs

next@13.4.1 (CVE-2024-34350), jsonwebtoken@8.5.1 (CVE-2022-23529), axios@0.21.1 (CVE-2021-3749).

How to fix

Run npm audit fix or manually update: next@latest, jsonwebtoken@9+, axios@1+.

MEDIUM

Verbose error responses in production

API error responses include full stack traces and internal file paths, leaking implementation details.

How to fix

Use a global error handler that returns generic messages in production. Log full errors server-side only.

MEDIUM

Missing input validation on API routes

POST /api/checkout accepts arbitrary JSON without schema validation. Attackers can inject unexpected fields.

How to fix

Add Zod or Joi schema validation to all API route handlers. Reject requests that don't match the expected shape.

MEDIUM

Weak password requirements

Registration accepts passwords as short as 1 character with no complexity requirements.

How to fix

Enforce minimum 8 characters with at least one number and one special character. Use zxcvbn for strength scoring.

LOW

Missing Secure flag on session cookie

The session cookie is transmitted over unencrypted connections, allowing session hijacking on public networks.

How to fix

Set the Secure, HttpOnly, and SameSite=Strict flags on all session cookies.

Simple, transparent pricing

Start free. Upgrade when you need continuous protection.

MonthlyAnnual
Free
$0

One scan to see what you are working with.

  • 1 scan
  • Top 5 issues shown
  • Basic severity report
  • Shareable results link
Starter
$29/mo

Weekly scans for solo builders shipping fast.

  • Weekly automated scans
  • Full 20-check report
  • Email alerts on new issues
  • Historical score tracking
  • 1 site
Most Popular
Pro
$99/mo

Continuous protection for production apps.

  • Continuous monitoring
  • Slack & email alerts
  • AI fix suggestions with code
  • API access
  • Priority scan queue
  • 3 sites
Agency
$299/mo

Scan client projects. Deliver security reports.

  • 25 sites
  • White-label PDF reports
  • Client dashboard
  • Team member seats
  • Bulk scan API
  • Dedicated support

Why VibeArmor?

Traditional pentests cost $5K-$30K and take weeks. VibeArmor costs $29/mo and runs in 3 minutes.

Built by vibe-coders, for vibe-coders.

Traditional Pentest
VibeArmor
Time to first result
2-4 weeks
3 minutes
Cost
$5,000 - $30,000
$29/month
Frequency
Once per quarter
Continuous
Understands AI-generated code
Rarely
Built for it
Fix suggestions
PDF report
Copy-paste code fixes
Setup required
Weeks of scoping
Paste a URL

Frequently asked questions

VibeArmor runs 20 automated security checks across 4 severity levels. We test for exposed secrets in client bundles, authentication bypasses, SQL/NoSQL injection, missing security headers, insecure dependencies with known CVEs, broken access control (IDOR), XSS, rate limiting, file upload vulnerabilities, session management, input validation, and more. Each check is tailored to the patterns we see in AI-generated codebases.
We never access your source code. VibeArmor scans your live application externally, the same way an attacker would. We test publicly accessible endpoints, headers, and responses. Scan results are encrypted at rest and you can delete them at any time. We are SOC 2 Type II compliant.
Snyk focuses on dependency vulnerabilities in your codebase (you give it code access). Detectify is an enterprise DAST scanner priced for security teams. VibeArmor is purpose-built for AI-generated apps: we understand the specific patterns and mistakes that Claude, Cursor, Lovable, and Bolt produce. We are faster to set up (paste a URL), cheaper ($29/mo vs $500+/mo), and our fix suggestions include copy-paste code, not just descriptions.
No. VibeArmor scans your live application from the outside, just like a real attacker would. You paste a URL and we do the rest. No GitHub integration, no CI/CD setup, no agent installation. If you want deeper analysis, our Pro plan offers optional GitHub integration for dependency scanning.
That is exactly why VibeArmor exists. Every finding comes with a severity rating, a plain-English explanation of the risk, and a concrete fix with code you can copy and paste. Most critical issues can be fixed in under 30 minutes. Rescan for free after fixing to see your score improve.

Are you shipping vulnerable code right now?

Most vibe-coded apps have 3+ critical vulnerabilities. Find yours before someone else does.

Join 1,000+ vibe-coders who ship secure.