free · read-only · built with Cursor

Cursor writes the code. Did it lock the doors?

Cursor builds whole apps fast, wherever you deploy them. The AI writes the auth, the queries, and the config — and it doesn't always get the security right. Scan yours free.

https://

read-only · we fetch only what your visitors' browsers already download

What breaks on Cursor apps

Cursor isn't tied to one host, so we scan wherever your app lives. What AI-written code gets wrong most often:

Auth that looks right but reads wrong

Generated database queries frequently trust the client — a Supabase table with no RLS, a Firebase rule set to true, an API route with no auth check. We test what an unauthenticated request can actually read, not what the code claims.

Leaked keys in shipped code

AI-written setup often hardcodes a key “to get it working,” and then it ships. We scan your live bundle for server keys that made it to production, and separate them from the public keys that belong there.

Config drift from fast iteration

Fast prompting means config changes fast too — a header you set gets dropped, a table gets added without a policy. A scan is a fast, honest snapshot of what's actually exposed right now, on the live site.