bleek.dev
Scan your app
No signup · read-only

Your vibe-coded app is probably leaking.

89% of AI-built apps ship with at least one vulnerability. Paste your URL — bleek scans your live site the way an attacker would and hands you the exact fix to paste back into Cursor, Claude or Lovable. The first scan is free. No signup, no code access.

No signup. No code access. Read-only — we never touch your data.

bleek scan · |

Waiting for URL…

// why it matters

11%

of vibe-coded apps leak Supabase keys

SupaExplorer · 20,052 URLs
10%

of Lovable apps shipped with broken RLS (CVE-2025-48757)

Matt Palmer · disclosure
1.5M

auth tokens leaked from one Lovable app in 72 hours

Moltbook hack · Jan 2026
$200K

in Stripe payments processed with broken webhooks

McKelvey · 7 failures from rescuing vibe-coded apps

// how it works

Three steps. One URL. Every leak.

Step 01

Paste your URL

No signup, no code access. Just the URL of your live vibe-coded app.

Step 02

We scan it like an attacker would

14 checks across secrets, auth, RLS, headers, and injection — read-only, never destructive.

Step 03

Get every leak + how to fix it

AI-ready fix instructions you paste back into Cursor, Claude or Lovable. Or let our humans ship the PR.

// attack surface

The leaks AI ships by default.

14 checks anchored on OWASP Top 10:2025, OWASP LLM Top 10:2025, and the 2025 CWE Top 25 — calibrated to the failure modes that actually break vibe-coded apps in production.

Exposed secrets

Supabase service_role, OpenAI, Stripe, AWS keys in your JS bundle.

Supabase RLS

We extract your anon key and probe every table the way an attacker would.

Auth bypasses

Client-side-only checks, missing server enforcement, alternate-path admin routes.

Security headers

CSP, HSTS, X-Frame-Options, cookie flags — what AI forgets to set.

Exposed files

.env, .git, source maps, /admin, /debug — anything you didn't mean to ship.

Injection probes

Reflected XSS, SQLi error signatures, path traversal, open redirects.

Start free. Pay only if it finds something.

$0forever

Free Scan

The embarrassing stuff. Caught from outside.

  • Security headers (CSP, HSTS, X-Frame-Options, ...)
  • Cookie flags (Secure, HttpOnly, SameSite)
  • TLS protocol + cipher quality
  • Exposed files (.env, .git, /admin, source maps)
  • Public secrets in JS bundles (Stripe pk, OpenAI, AWS)
  • CORS misconfiguration
  • Public scorecard report
Scan a URL
Recommended
$19one-time

Deep Scan

All 14 checks. The ones AI tools actually break.

  • Everything in Free Scan, plus:
  • Supabase RLS probing (CVE-2025-48757)
  • Firebase Realtime / Firestore rule probing
  • Reflected XSS + SQLi error-signature probes
  • Path traversal + open-redirect probes
  • Auth bypass via alternate path (CWE-288)
  • Dependency CVE scan (Retire.js + OSV.dev)
  • AI-ready fix instructions for Cursor / Claude / Lovable
Run deep scan
From $300fixed scope

Human Checker

The 8 things no URL scanner can confirm.

  • Everything in Deep Scan, plus:
  • 2-account IDOR / BOLA testing
  • Business-logic flaws (race conditions, step-skipping, coupons)
  • Payment webhook signature verification (Stripe, PayPal)
  • Stored XSS + second-order injection
  • LLM excessive-agency / agentic blast-radius
  • Compliance signals (GDPR, PCI, HIPAA)
  • Fix shipped as a pull request you approve
  • Direct line to the founder
Book a call

No scanner can confirm IDOR, business-logic flaws, or webhook integrity from a URL alone. That's what the human tier is for.

Read-only by design

We never run exploits. We probe. We observe. We report.

Your code stays yours

Free scan needs no access. Deep scan needs no access. Human-tier fixes are pull requests you approve.

No middle layer

You work straight with the engineers doing the work — no agency markup, no offshore team, no ghosting.

// questions

Scanning, answered.

Is the scan really free?

Yes — the first scan is free forever, no signup. It checks security headers, exposed secrets, TLS and exposed files. You only pay for the Deep Scan ($19, one-time) or a human audit.

What does bleek check for?

Exposed API keys, broken Supabase RLS (CVE-2025-48757), auth bypasses, missing security headers, exposed files and injection issues — 14 checks anchored on OWASP Top 10:2025. Full list on pricing.

Is it safe to scan my app?

Yes — bleek is read-only by design. We probe and observe, never exploit. More on our security page.

Which platforms does it work with?

Any live web app — Lovable, Bolt, v0, Cursor, Replit or hand-coded. See Lovable security or Supabase security.

What is CVE-2025-48757?

A missing Supabase row-level-security default that exposed 170+ Lovable apps' databases. bleek tests your app for it free — read the deep-dive.