How it works
hammering.ai runs five read-only checks against a URL — only fetching what a visitor's browser already downloads — then turns the findings into a 0–100 survival score. Here's exactly what it looks at and how the number is built, because for a security tool the method is the trust.
The five checks
1 · Leaked secrets. Scans your JavaScript for server- side keys (Supabase service_role, sk_live_, OpenAI, AWS, private keys). Public-by-design keys — the Supabase anon key, a Firebase apiKey, a Stripe publishable key — are classified and notflagged, because they're meant to be in the browser.
2 · Open database.If a Supabase backend is detected, we can test whether its tables are readable by anyone with the public key (missing Row Level Security) — the single most common vibe-coded bug. This one reads real rows, so it only runs on a domain you've proven you own, and it reads table names and row counts only, never values.
3 · Security headers. Checks for a Content-Security- Policy, HSTS, and clickjacking / MIME-sniffing / referrer protections.
4 · Exposed files. Probes for a downloadable .env, .git, source maps, and SQL dumps — and only flags one when the response actually matches that file's content, not merely when the status is 200 (single-page apps return 200 for everything, which naive scanners flag as false positives).
5 · Error handling. Sends malformed input and watches for a leaked stack trace or a 500 — signs of missing validation.
How the score is computed
The score starts at 100 and deducts per finding by severity: a critical is −40, high −18, medium −9, low −3, and infodeducts nothing. Low-severity findings are capped so ten small issues can't outweigh one real one. It's deliberately blunt: a leaked service key or an open database should push you toward 0, not get averaged away.
What a score does not mean
A high score means we didn't find these specific external issues — it is not a guarantee that you have none. From the outside we can't see anything behind a login, business-logic flaws, or your infrastructure. It's a fast first pass, not a penetration test.