Can someone bankrupt you?

You ship fast with AI.
We make sure it's not a security nightmare.

Share URL, get a report with fixes in 40 seconds.

I own or have permission to scan this app

Scans run

Critical issues

What you might find

criticalSupabase

Anyone can read 2852 rows from 4 tables

Supabase RLS disabled. Anyone with your anon key can read user data from 4 tables.

see fix →

Fix

Review data from the tables, should everyone see it?

Copy fix prompt for LLM.

← back

criticalPOST /api/chat

Unprotected AI endpoint

No rate limit. Anyone can burn through your OpenAI credits in minutes.

see fix →

Fix

Add rate limiting tied to IP address to your chat.

← back

criticalPOST /api/send-email

Open email sender

No auth on Resend endpoint. Bots can send thousands of emails on your account.

see fix →

Fix

Add rate limiting and auth before calling Resend.

Add CAPTCHA on public forms.

← back

Example findings from a real scan. 3 free scans per day.

What you might find

criticalSupabase

Anyone can read 2852 rows from 4 tables

Supabase RLS disabled. Anyone with your anon key can read user data from 4 tables.

see fix →

Fix

Review data from the tables, should everyone see it?

Copy fix prompt for LLM.

← back

criticalPOST /api/chat

Unprotected AI endpoint

No rate limit. Anyone can burn through your OpenAI credits in minutes.

see fix →

Fix

Add rate limiting tied to IP address to your chat.

← back

criticalPOST /api/send-email

Open email sender

No auth on Resend endpoint. Bots can send thousands of emails on your account.

see fix →

Fix

Add rate limiting and auth before calling Resend.

Add CAPTCHA on public forms.

← back

Example findings from a real scan. 3 free scans per day.

vs. generic scanners

Others

LaunchGuard

✕47 findings, XSS, CSRF, SSRF etc.

✓2–5 findings, each costing you money

✕Vague severity labels (Low / Medium / High)

✓Dollar estimates per month

✕"Everything is potential vulnerability"

✓"Fix this before you get charged $1k"

✕No database-level checks

✓Supabase RLS, storage & key audit included for free

Database Security

Using Supabase?

Every scan automatically detects Supabase and probes your database security.

live scan feed

Scanning acme-app.com…

Detected Supabase → acme-app.supabase.co

Decoded anon key · 14 tables, 3 RPCs, 2 buckets

RLS posture4 tables exposed

Hidden tables+2 via PGRST205

Storage buckets1 public (2,847 files)

RPC endpoints1 callable

7 findings · 0 bytes read

Row Level Security

Tests every table for anonymous read access via count-only queries.

Hidden Table Discovery

Exploits PostgREST error hints to find unlisted tables.

Storage Buckets

Enumerates all buckets and checks file listing permissions.

RPC Functions

Tests each database function for anonymous invocability.

Runs automatically on every scan. No row data is read, only access checks are performed.