Security scanning for vibe coders

45% of AI-generated code has
critical security vulnerabilities.

Paste your URL, get a security audit in 60 seconds.

0

Sites scanned

0

Issues found

0

Avg score

What we check

Security Headers

Checks for CSP, HSTS, X-Frame-Options, and other essential headers that protect your visitors.

SSL / TLS

Verifies your certificate is valid, not expiring soon, and using modern encryption protocols.

Exposed Files

Probes for .env files, .git folders, admin panels, and other files that should never be public.

JavaScript Secrets

Scans your client-side code for leaked API keys, tokens, and credentials visitors can see.

Supabase Audit

Tests your Row Level Security policies to make sure strangers can't read your database.

Firebase Audit

Checks Firestore rules and Storage bucket permissions for unauthenticated access.

CORS Policy

Tests whether attackers can make cross-origin requests and steal data from your API.

Cookie Security

Verifies session cookies have Secure, HttpOnly, and SameSite flags set correctly.

Email Security

Checks SPF, DKIM, and DMARC records that prevent spoofed emails from your domain.

Tech Detection

Identifies your framework, hosting, and database so fix prompts match your actual stack.

Rate Limiting

Tests whether your login and API endpoints can be brute-forced without hitting any limits.

Bot Protection

Checks for CAPTCHA or challenge pages that stop bots from abusing your forms and signups.

Simple pricing

Free scan. Full report for $9.

Free scan in 60 seconds. Full report for $9. Unlimited for $24/mo.

Free

$0forever

Unlimited quick scans

  • Unlimited quick scans
  • Security score & grade
  • Finding titles & severity
  • Category breakdown
  • Tech stack detection
  • Full finding descriptions
  • Specific vulnerability details
  • AI fix prompts for your stack
  • Deep scan option (code + URL)
  • No account needed
  • Unlimited full results
  • Unlimited deep scans
  • Scan history + comparison
  • Trust badge embed
  • Weekly monitoring alerts
  • Exportable reports
Scan Free
Most Popular

Single Scan

$9one-time

Full scan report

  • Unlimited quick scans
  • Security score & grade
  • Finding titles & severity
  • Category breakdown
  • Tech stack detection
  • Full finding descriptions
  • Specific vulnerability details
  • AI fix prompts for your stack
  • Deep scan option (code + URL)
  • No account needed
  • Unlimited full results
  • Unlimited deep scans
  • Scan history + comparison
  • Trust badge embed
  • Weekly monitoring alerts
  • Exportable reports

Pro

$24/mo

Unlimited scans

  • Unlimited quick scans
  • Security score & grade
  • Finding titles & severity
  • Category breakdown
  • Tech stack detection
  • Full finding descriptions
  • Specific vulnerability details
  • AI fix prompts for your stack
  • Deep scan option (code + URL)
  • No account needed
  • Unlimited full results
  • Unlimited deep scans
  • Scan history + comparison
  • Trust badge embed
  • Weekly monitoring alerts
  • Exportable reports
Start Pro

Real results

What we've found

Aggregate findings across every scan we've ever run.

0

exposed files detected

0

leaked secrets caught

0

missing headers found

0

insecure cookies flagged

0

email misconfigs found

0

CORS misconfigs caught

FAQ

Common questions

What does SafeToShip actually check?
We run 10 security modules against your live URL: security headers, SSL/TLS, exposed files, leaked API keys in JavaScript, Supabase RLS, Firebase rules, CORS policy, cookie flags, email authentication (SPF/DKIM/DMARC), and tech stack detection. Each check runs in parallel and completes in under 60 seconds.
Is this safe? Will it break my site?
Completely safe. We only make read-only requests, the same ones any visitor's browser makes. We never modify data, submit forms, or attempt to exploit anything. For database checks (Supabase/Firebase), we read at most one row and never write.
I'm not technical. Will I understand the results?
That's exactly who we built this for. Every finding is explained in plain English with a severity level (Critical, High, Medium, Low). Paid plans include AI-generated fix prompts tailored to your specific AI coding tool. Just paste them in and your AI assistant will fix the issue.
What are fix prompts?
Fix prompts are copy-paste instructions written for your AI tool (Cursor, Lovable, Bolt, v0, etc.). Each prompt explains the security issue and tells your AI exactly how to fix it. Think of them as a security expert translating findings into language your AI assistant understands.
How is the security score calculated?
You start at 10.0 and lose points per finding: Critical issues cost 3.0 points, High costs 1.5, Medium costs 0.5, and Low costs 0.15. Grades map to scores: A (9-10), B (7-8.9), C (5-6.9), D (3-4.9), F (0-2.9). The average vibe-coded app scores 4.0-6.5.
What's the difference between single scan and Pro?
A single scan unlock ($9) gives you the full findings and AI fix prompts for one specific scan. Pro ($24/month) gives you unlimited scans, full findings and fix prompts for all scans, scan history, a trust badge, and monitoring alerts.
Can I use the trust badge on my site?
Yes! Pro plans include a dynamic SVG badge you can embed on your site. It shows your latest score and grade, updates automatically with each scan, and links to a public verification page. You need a score of 7.0+ with zero critical or high findings to qualify.
Do you store my data or secrets?
We never store full API keys or secrets. Findings show only the first 8 characters. Scan results are stored so you can view history, but we don't retain raw response data. You can delete all your data at any time from settings.

Ship with confidence

Scan your site now. It takes 60 seconds and your first scan is free.