60-second security report

VibeCheck

Paste your vibe-coded app URL and get a read-only public-surface report with redacted evidence, grouped findings, confidence labels, and copy-paste fixes.

Paste your app URL

VibeCheck blocks private-network targets and stores redacted evidence only.

Read-only by design

VibeCheck checks public pages, client bundles, source-map references, exposed infrastructure paths, headers, bounded CORS preflights on referenced APIs, public schema/debug routes, Firebase web config, client hydration payloads, and owner-authorized Supabase read/storage probes.

Modern leak coverage

It looks for exposed AI-era secrets, over-fetched client data, public OpenAPI or GraphQL surfaces, weak browser defenses, and access-control self-check signals, including client_data_exposure, debug_schema_surface, and firebase_config findings.

Evidence stays redacted

Reports store fingerprints and sanitized metadata, not raw secrets, source maps, source code, database rows, cookies, sensitive query strings, or raw PII samples.