31 Security Checks. 130+ Detection Rules.

Detects exposed API keys: Supabase, Firebase, AWS, Stripe, OpenAI, GitHub, Twilio, SendGrid, Slack, Discord, Google Cloud, and private cryptographic keys.

Finds hardcoded passwords, database credentials, and generic secrets embedded in JavaScript source code and HTML.

Detects keys for the modern AI stack: Anthropic, Clerk secret keys, Auth0/OAuth client secrets, Algolia admin keys, Mapbox secret tokens, Sentry DSNs, and PostHog.

Scans server-rendered state (Next.js __NEXT_DATA__, Nuxt, Remix, SvelteKit) for secrets accidentally serialized into the client payload.

Detects React’s dangerouslySetInnerHTML which bypasses XSS protection and is frequently used in AI-generated code.

Finds eval() calls with variable input — a critical code injection vector commonly left by AI code generators.

Detects Vue v-html, Angular [innerHTML], and raw innerHTML assignments that can lead to XSS attacks.

Finds "TODO: add authentication" and "FIXME: validate input" comments that AI tools leave behind — unfinished security work.

Detects hardcoded http://localhost or 127.0.0.1 URLs that should not be in deployed applications.

Finds console.log statements outputting tokens, passwords, secrets, or auth data to the browser console.

Detects authentication tokens stored in localStorage — vulnerable to XSS. Tokens should use httpOnly cookies.

Finds access tokens and API keys passed as URL query parameters — logged in server logs and browser history.

Decodes JSON Web Tokens and flags the "none" algorithm, missing expiry, and sensitive claims (password, SSN, keys) in the payload.

Checks OAuth flows for a missing state parameter — required to prevent CSRF attacks on authentication.

Validates Secure, HttpOnly, and SameSite flags on session cookies across common cookie patterns.

Validates CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Checks certificate validity, expiration (warns 30 days before), HTTPS redirect, and TLS configuration.

Tests for overly permissive CORS — origin reflection, wildcard access, and credentials with wildcard.

Verifies X-Frame-Options and CSP frame-ancestors prevent your site from being embedded in malicious iframes.

Probes sensitive paths (.env, .git, phpinfo, wp-config, database dumps, backups) with content verification.

Detects HTTP resources loaded on HTTPS pages — active (scripts, CSS) and passive (images, media) mixed content.

Probes for publicly reachable admin/database consoles — Hasura, PocketBase, Adminer, phpMyAdmin, Django, Strapi, Supabase Studio.

Detects framework debug modes and stack traces (Laravel, Django, Flask, Symfony, Rails) plus dev builds shipped to production.

Tests Row Level Security policies, storage bucket access, REST API exposure, and detects service role key leaks.

Checks Firestore public read access, Realtime Database exposure, and Firebase Storage bucket listing.

Scans inline and external scripts for eval(), document.write(), localStorage secrets, debugger statements, and source map exposure.

Detects frontend-only authentication: admin routes behind JS checks, role guards without server validation, hidden admin links.

Identifies vulnerable jQuery, Bootstrap, and AngularJS versions, and checks for missing Subresource Integrity.

Validates CSRF tokens on POST forms, form actions over HTTP, password autocomplete, and file upload restrictions.

Scans responses for SQL error messages, stack traces, template injection indicators, and path traversal content.

Detects sequential numeric IDs in URLs, predictable API endpoints, and direct file references indicating broken access control.

Tests common redirect parameter names across login, logout, and callback endpoints for unvalidated redirects.

Probes common GraphQL endpoints (incl. Hasura and Supabase) for enabled schema introspection — the full API surface.

Identifies frameworks and CMS platforms (React, Next.js, Vue, Angular, WordPress, Laravel, etc.) with version detection.

Checks common subdomains for takeover risks, exposed staging/dev environments, and unauthenticated APIs.

Detects analytics without cookie consent, tracking pixels, missing privacy policy, and third-party tracking scripts.

Detects internal infrastructure leaked into the page: private IPs, internal hostnames, server filesystem paths, and storage bucket URLs.

Validates RFC 9116 security.txt — responsible disclosure contact and expiration information.

Checks for sensitive paths accidentally disclosed in robots.txt (admin panels, backup directories, config files).