We'll scan your live Lovable, Bolt, v0, Cursor, or Replit app for the three things that take real apps down: open databases, exposed secrets, and unauthenticated endpoints. 15+ probes per scan; we surface the most urgent first.
Open databases
We probe your Supabase tables to see whether anyone can read or write your data without logging in. About 70% of Lovable apps fail this check.
Exposed secrets
We fetch your bundle — and recover original source from any leaked source maps — to find Stripe / OpenAI / Anthropic / Google / Slack / SendGrid / Supabase service-role keys, exposed .env files, leaked /.git directories.
Unauthenticated APIs & misconfigurations
We probe discovered API routes for missing auth, check CORS configuration for the wildcard-with-credentials bug, and verify security headers on every response.
Read-only probes of your public URL. We don't run authenticated requests, write data, or attempt anything destructive. The full kit (Semgrep, full git history, RLS policy review) runs only on the $1,499 Audit, where you grant repo access.