free · read-only · built for v0 apps

Your v0 app could be leaking its env.

v0 generates React and Next.js and deploys to Vercel. It's easy to expose a server env var to the client or ship without security headers. Scan yours free.

https://

read-only · we fetch only what your visitors' browsers already download

What breaks on v0 apps

v0 produces clean Next.js — but “clean” isn't “locked down.” The gaps we see most on v0-built, Vercel-deployed apps:

NEXT_PUBLIC_ env vars carrying real secrets

Any env var prefixed NEXT_PUBLIC_ ships to the browser. It's a common mistake to put a real key behind that prefix to “make it work.” We read the bundle the way a visitor does and flag server secrets that leaked into it.

Missing headers Vercel doesn't add for you

A default Vercel deploy won't set a Content-Security-Policy or HSTS unless you configure it in next.config or vercel.json. We check what's missing and give you the config to paste.

Source maps shipping to production

Production source maps hand your entire source — and sometimes inline secrets — to anyone who opens devtools. We look for them so you can turn them off before someone else reads them.