Find what your AI shipped broken.

Checking public surfacehttps://your-app.com

60 seconds free no signup

What we look for

What we check for.

These are the eight things that go wrong most often in apps built with AI tools.

Exposed Supabase service keysService-role keys committed to client bundles or .env files served as static assets.found in 41% of scans

Stripe webhooks without signature checkEndpoints that accept any POST as legitimate Stripe traffic.found in 12% of scans

Unauthenticated LLM endpointsServer routes that proxy AI services with no auth or rate limit.found in 38% of scans

Missing row-level securityPostgres tables reachable from PostgREST without RLS policies enforced.found in 23% of scans

IDOR on user data routes/api/users/:id-style routes that don't verify ownership before returning.found in 16% of scans

Source maps in production.js.map files served alongside bundles, leaking original source and comments.found in 19% of scans

.env files served as static assetsPublic-folder placement causing /.env, /env.local to return 200.found in 7% of scans

Public admin or debug surfacesVisible routes, panels, logs, or debug output that should not be reachable from the open web.found in 14% of scans

Critical

Your AI chat endpoint skips auth, so anyone with the URL can use your account.

POST /api/chat · no auth → 200 OK

Prompt

Copy the patch prompt and let your coding agent make the safe change.

Patch the /api/chat handler so anonymous requests fail before any AI service call is made.

Requirements:
- Return 401 for requests without a verified session.
- Authorize the active workspace before forwarding to the AI service.
- Preserve existing behavior for authenticated users.
- Add regression coverage proving unauthenticated POST /api/chat returns 401 and does not reach the AI service.

Pricing

Pick your level of exposure visibility.

Free scan

External scan
Severity counts
One safe finding revealed when available
Unlock the audit to see what's exposed

Scan a URL

Full audit

$149one-time

Every finding, unblurred
Copy-ready AI coding tool patch prompts
Severity, evidence, and exploitability for each issue
Re-checks each finding after you ship a fix

Monitoring

$79/mo · 12-month commitment

Weekly re-scans of your public surface
Repo hygiene risk assessments
Regression tracking across deploys
Slack & email alerts on new findings

Your app is online right now.

Someone is going to find what we'd find.

Better that it's us.

Scan my app →