Cursor writes the code. Did it lock the doors?
Cursor builds whole apps fast, wherever you deploy them. The AI writes the auth, the queries, and the config — and it doesn't always get the security right. Scan yours free.
read-only · we fetch only what your visitors' browsers already download
What breaks on Cursor apps
Cursor isn't tied to one host, so we scan wherever your app lives. What AI-written code gets wrong most often:
Auth that looks right but reads wrong
Generated database queries frequently trust the client — a Supabase table with no RLS, a Firebase rule set to true, an API route with no auth check. We test what an unauthenticated request can actually read, not what the code claims.
Leaked keys in shipped code
AI-written setup often hardcodes a key “to get it working,” and then it ships. We scan your live bundle for server keys that made it to production, and separate them from the public keys that belong there.
Config drift from fast iteration
Fast prompting means config changes fast too — a header you set gets dropped, a table gets added without a policy. A scan is a fast, honest snapshot of what's actually exposed right now, on the live site.
Built with something else?
The Supabase database Lovable ships with is open until you turn on RLS.
Bolt can bake a server API key straight into your public bundle.
A NEXT_PUBLIC_ env var or a stray source map leaks more than you think.
App, secrets, and database in one place — one misconfig exposes all three.