Vibe security lab / free public beta

Vibe Coding Security Checklist

Scan the public security signals of your AI-built website, then close the gaps a passive tool cannot verify with a practical 36-point review.

No accountPassive onlyNo scan history stored

Free passive scanner

Check the public security signals on your site

No account required

Enter a public website you own or are authorized to assess. The scan is passive and rate-limited.

Ready to scan.

Authorization matters. This tool reads a small amount of public content. It does not log in, submit forms, execute exploits, or crawl your entire site.

Definition

What is vibe coding security?

Vibe coding security is the practice of reviewing AI-assisted applications for exposed secrets, missing authorization, unsafe defaults, weak deployment controls, and other risks that fast code generation can overlook.

Check My Vibe examines limited public evidence. It does not replace source-code review, authenticated testing, or a professional security assessment.

01 / Awareness

Know what your public surface reveals

Four deliberately bounded checks. Enough to catch costly oversights without pretending to replace an audit.

01

Public page & scripts

Reads one public HTML page and selected same-origin JavaScript for visible exposure signals.

Passive read
02

HTTPS & headers

Reviews transport behavior and security headers returned to a normal visitor.

Public response
03

Exposure signals

Looks for public source maps and credential-shaped strings, with evidence redacted.

Pattern signals
04

Six sensitive paths

Checks a fixed set of common public paths. It does not recursively crawl, brute-force, or exploit.

Fixed scope

02 / Interest

A useful first pass in three deliberate steps

Start with observable evidence. Continue with the controls only a human can confirm.

01

Enter an authorized public URL

Use a production or preview website you own or have explicit permission to assess.

02

Review passive findings

See the completed tests, visible signals, limited checks, and practical remediation notes.

03

Complete the human review

Verify authorization, data access, dependencies, and deployment controls the scanner cannot prove.

03 / Desire

Turn a quick signal into a disciplined release check

Work through every control. Your progress stays in this browser, and related scan signals appear beside the items that still need human confirmation.

Secrets

Keep credentials out of public code, logs and version history.

0 / 6

Authentication

Verify identity and authorization controls at every protected boundary.

0 / 6

Database

Protect data access, tenant isolation and recovery paths.

0 / 6

HTTP Headers

Harden the public response and browser security boundary.

0 / 6

Dependencies

Keep the software supply chain deliberate, current and reproducible.

0 / 5

Deployment

Ship production with safe defaults, observability and rollback options.

0 / 7

04 / Trust

A useful signal is not a security guarantee

Honest by design

This is a passive review of limited public content, not a penetration test or a complete security audit.

  • 01

    It does not log in, attack endpoints, submit forms, or probe private resources.

  • 02

    It cannot see repositories, server configuration, database policies, authenticated routes, or business logic.

  • 03

    A clean result only means the completed checks did not find the specific signals they test.

For payments, health data, sensitive personal information, or privileged workflows, combine this checklist with threat modeling, automated tests, and an independent security assessment.

Evidence / Guidance

Security guidance behind this checklist

Primary guidance and current research inform the boundaries of this public-surface review.

  • The free scanner reads one public HTML page, selected same-origin JavaScript, response headers, limited source maps, and a fixed set of sensitive public paths.
  • The scanner does not log in, submit forms, execute exploits, crawl recursively, or inspect private repositories and database policies.
  • The Automated Security Score covers only completed machine checks; the 36-point checklist remains a separate human review.
  • A clean result means the completed rules found none of their specific public signals. It does not prove that the application has no vulnerabilities.

OWASP Secure Coding with AI Cheat Sheet

Guidance for treating AI-generated code and AI-assisted development output as security-sensitive inputs that still require review and validation.

Read the source

OWASP Top 10:2025 — Inappropriate Trust in AI Generated Code

OWASP recommends explicit review, secure examples, and policy enforcement instead of assuming generated code is safe because it functions.

Read the source

Understanding the (In)Security of Vibe-Coded Applications

A 2026 empirical study reports recurring patterns such as placeholder logic, insufficient input handling, and secret exposure in vibe-coded applications.

Read the source

05 / Clarity

Know exactly what the result can — and cannot — tell you

Clear answers before you place trust in a score.

01What is vibe coding security?

Vibe coding security is the process of reviewing AI-assisted applications for exposed secrets, missing authorization, unsafe defaults, weak deployment settings, and other risks that fast code generation can overlook.

02What does this scanner check?

It passively checks the public page, selected same-origin JavaScript files, security headers, HTTPS behavior, source maps, and six common sensitive file paths.

03Is this a complete security audit?

No. It does not log in, execute attacks, test private code, validate database policies, or prove that a site has no vulnerabilities. Use the manual checklist and a professional review for higher-risk applications.

04Do you store scans or source code?

No scan history is stored. The server temporarily reads limited public content, returns a redacted report, and does not retain page bodies, JavaScript, source maps, credentials, or complete results.

05Can I scan any website?

Only scan websites you own or are authorized to assess. The scanner is rate-limited, does not crawl recursively, and performs no exploit attempts.

Ready when you are

You shipped fast.
Now check the surface.

Start with one authorized public URL. No account, no stored scan history, no exploit attempts.

Run the free passive scan