Public page & scripts
Reads one public HTML page and selected same-origin JavaScript for visible exposure signals.
Passive readVibe security lab / free public beta
Scan the public security signals of your AI-built website, then close the gaps a passive tool cannot verify with a practical 36-point review.
Free passive scanner
Definition
Vibe coding security is the practice of reviewing AI-assisted applications for exposed secrets, missing authorization, unsafe defaults, weak deployment controls, and other risks that fast code generation can overlook.
Check My Vibe examines limited public evidence. It does not replace source-code review, authenticated testing, or a professional security assessment.
01 / Awareness
Four deliberately bounded checks. Enough to catch costly oversights without pretending to replace an audit.
Reads one public HTML page and selected same-origin JavaScript for visible exposure signals.
Passive readReviews transport behavior and security headers returned to a normal visitor.
Public responseLooks for public source maps and credential-shaped strings, with evidence redacted.
Pattern signalsChecks a fixed set of common public paths. It does not recursively crawl, brute-force, or exploit.
Fixed scope02 / Interest
Start with observable evidence. Continue with the controls only a human can confirm.
Use a production or preview website you own or have explicit permission to assess.
See the completed tests, visible signals, limited checks, and practical remediation notes.
Verify authorization, data access, dependencies, and deployment controls the scanner cannot prove.
03 / Desire
Work through every control. Your progress stays in this browser, and related scan signals appear beside the items that still need human confirmation.
Keep credentials out of public code, logs and version history.
Verify identity and authorization controls at every protected boundary.
Protect data access, tenant isolation and recovery paths.
Harden the public response and browser security boundary.
Keep the software supply chain deliberate, current and reproducible.
Ship production with safe defaults, observability and rollback options.
04 / Trust
This is a passive review of limited public content, not a penetration test or a complete security audit.
It does not log in, attack endpoints, submit forms, or probe private resources.
It cannot see repositories, server configuration, database policies, authenticated routes, or business logic.
A clean result only means the completed checks did not find the specific signals they test.
For payments, health data, sensitive personal information, or privileged workflows, combine this checklist with threat modeling, automated tests, and an independent security assessment.
Evidence / Guidance
Primary guidance and current research inform the boundaries of this public-surface review.
Guidance for treating AI-generated code and AI-assisted development output as security-sensitive inputs that still require review and validation.
Read the sourceOWASP recommends explicit review, secure examples, and policy enforcement instead of assuming generated code is safe because it functions.
Read the sourceA 2026 empirical study reports recurring patterns such as placeholder logic, insufficient input handling, and secret exposure in vibe-coded applications.
Read the source05 / Clarity
Clear answers before you place trust in a score.
Vibe coding security is the process of reviewing AI-assisted applications for exposed secrets, missing authorization, unsafe defaults, weak deployment settings, and other risks that fast code generation can overlook.
It passively checks the public page, selected same-origin JavaScript files, security headers, HTTPS behavior, source maps, and six common sensitive file paths.
No. It does not log in, execute attacks, test private code, validate database policies, or prove that a site has no vulnerabilities. Use the manual checklist and a professional review for higher-risk applications.
No scan history is stored. The server temporarily reads limited public content, returns a redacted report, and does not retain page bodies, JavaScript, source maps, credentials, or complete results.
Ready when you are
Start with one authorized public URL. No account, no stored scan history, no exploit attempts.
Run the free passive scan