Paste your URL. In 60 seconds you get an A–F risk grade, your top findings with evidence, and a PDF report that tells you what's broken, what to fix first, and what's fine.
Already had an investor or B2B prospect ask about security? Skip the scan — book a 30-min call →
The 60-second scan
One field. Tick the ownership box. We never ask for code, GitHub, or credentials.
Same traffic a normal visitor generates. No login, no payload, no exploitation.
Plus your top findings, ranked by what would break your business first.
Categories we cover: exposed Supabase URLs and anon keys · missing security headers (CSP, HSTS, cookie flags) · public .env references in your bundle · unauthenticated storage buckets · CORS misconfigurations · TLS posture · known CVEs in frontend dependencies.
Sample findings
Not hypothetical. These are the patterns we surface most often on Lovable, Bolt, and Cursor projects shipped to production.
Your project URL and public anon key are visible in the JS bundle. If your row-level security is misconfigured, anyone can read your tables directly.
// captured from production bundleconst supabaseUrl = "https://qj██████.supabase.co"const anonKey = "eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."
No Content-Security-Policy, no HSTS, no X-Frame-Options. Your app is one stored XSS away from session theft and clickjacking.
content-security-policy: ✗ missingstrict-transport-security: ✗ missingx-frame-options: ✗ missing
A reference to /.env or process.env values shipped into the client bundle. Often includes Stripe, OpenAI, or service-role keys.
// inlined into client bundle at build timeSTRIPE_SECRET_KEY = "sk_live_4eC39H████████"OPENAI_API_KEY = "sk-proj-AAB███████████"
Find out if your app has any of these.
60 seconds. URL only. No code access.
Is it safe to scan?
Black-box. Read-only. The same kind of traffic any visitor sends. We never touch your code, your repo, or your database directly.
We never ask for source code, GitHub access, database credentials, or service-role keys. One URL is the entire input.
You tick a box attesting you own the site or are authorized by the owner. Required before the scan starts.
No payload injection, no credential brute-force, no rate-exhaustion. Normal browser requests, nothing your WAF would flag.
We follow US Computer Fraud and Abuse Act and UK Computer Misuse Act limits. Read-only checks of public surfaces only.
// captured from production bundleconst supabaseUrl = "https://qj██████.supabase.co"const anonKey = "eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."
What you'll get
The moment the scan finishes you see a one-page report. No download wall, no upsell wall.
Who this is for
The honest answer
Fair question. Most free scanners check generic web hygiene and miss everything that actually breaks vibe-coded apps.
We tuned this one for the stack you're actually shipping on. Supabase exposure patterns. BaaS misconfigurations. Frontend secret leaks from AI-generated bundles. The findings that have caused real incidents in the last twelve months.
If your app comes back clean, you'll know in 60 seconds and you're done. If it doesn't, you'll know exactly what to look at first. Either way you spent a minute, not a meeting.
Behind the scan
LeaderNova works with founders who shipped fast on Lovable, Cursor, Bolt, v0, Replit, and the BaaS platforms underneath. We built this scanner because the same handful of issues kept showing up across nearly every project we audited.
EU-based and GDPR-aligned. We do this in 60-second checks for free, and in deeper engagements when you want a real second pair of eyes.
Questions
It's free, no card, no trial. We run it because the data we collect helps us understand the vibe-coded ecosystem, and because we hope you find it useful enough to remember us.
We only make normal browser requests. No credential brute-force, no payload injection, no rate-exhaustion. The same traffic a visitor on your site would generate.
You must be authorized to run a security check on the site. The consent checkbox is your attestation. If you're unsure, check with your team first.
You need the client's explicit written permission. Forward it to us if asked.
Normal WAFs won't trip. Traffic is indistinguishable from a regular page load. Aggressive rate-based rules might.
Yes, in EU-hosted infrastructure. We delete or anonymize your scanned URL, results, and IP/device data within 30 days. We keep a minimal authorization record — your consent, the URL, and timestamps/IP — for up to 24 months solely to defend against misuse claims, as permitted under GDPR Art. 17(3)(e). You can request deletion of everything except that authorization record any time by emailing privacy@leadernova.com.
Then you spent 60 seconds and you're done. You can re-run the scan whenever you ship a major change — and at that point a proper audit is the right next step, since a 60-second pass only sees the outside of your app.
Those are broad platforms. This is a focused triage for the vibe-coded stack: Supabase exposure, BaaS misconfigurations, frontend secret leaks from AI-generated bundles.
We issue audit reports with ISO 27037 / 27042-compliant chain-of-custody when legal admissibility matters, and we'll tell you honestly when a specialist engagement is the better call.
Find out whether your AI-built app is leaking before someone else does.
EU-based · GDPR-aligned · Scan data deleted within 30 days