Your v0 app could be leaking its env.
v0 generates React and Next.js and deploys to Vercel. It's easy to expose a server env var to the client or ship without security headers. Scan yours free.
read-only · we fetch only what your visitors' browsers already download
What breaks on v0 apps
v0 produces clean Next.js — but “clean” isn't “locked down.” The gaps we see most on v0-built, Vercel-deployed apps:
NEXT_PUBLIC_ env vars carrying real secrets
Any env var prefixed NEXT_PUBLIC_ ships to the browser. It's a common mistake to put a real key behind that prefix to “make it work.” We read the bundle the way a visitor does and flag server secrets that leaked into it.
Missing headers Vercel doesn't add for you
A default Vercel deploy won't set a Content-Security-Policy or HSTS unless you configure it in next.config or vercel.json. We check what's missing and give you the config to paste.
Source maps shipping to production
Production source maps hand your entire source — and sometimes inline secrets — to anyone who opens devtools. We look for them so you can turn them off before someone else reads them.
Built with something else?
The Supabase database Lovable ships with is open until you turn on RLS.
Bolt can bake a server API key straight into your public bundle.
AI-written auth often trusts the client. We test what's actually readable.
App, secrets, and database in one place — one misconfig exposes all three.