Security scanner
for vibe-coded apps

vibeblame runs 4 scanners in parallel: TLS/SSL certificate validation, security headers analysis (CSP, HSTS, X-Frame-Options, and more), JavaScript bundle scanning for exposed source maps and leaked API keys, and an SEO & meta tags audit. You get a 0–100 security score, a 0–100 SEO score, and a combined overall score — all in under 30 seconds.

Yes, completely free with no registration required. Paste any URL, get a full security and SEO report in under 30 seconds, and share it via a permanent link. No trial, no limits on report features.

vibeblame is built for developers who use AI coding tools like Claude Code, Cursor, v0, Lovable, and Bolt to build and deploy web apps. These tools make shipping fast, but often miss security basics — exposed source maps, leaked API keys, missing headers. vibeblame is the quick sanity check before (or after) you go live.

Source maps are files (.js.map) that map minified JavaScript back to your original source code. When exposed in production, anyone can read your business logic, find hardcoded secrets, and discover vulnerabilities. Frameworks like Next.js generate them by default. vibeblame checks every JS bundle on your page and tests if the corresponding .map file is publicly accessible.

vibeblame downloads all JavaScript bundles from your page and scans them against known secret patterns: Stripe keys (sk_live_), Google API keys (AIza), GitHub tokens (ghp_), Slack tokens (xoxb-), and any environment variables exposed via NEXT_PUBLIC_ prefixes. These leaks are especially common in apps scaffolded by AI coding assistants that embed keys directly in client-side code.

vibeblame automatically detects your tech stack — framework (Next.js, Nuxt, Create React App, SvelteKit, Astro), hosting (Vercel, Netlify, Cloudflare, AWS, Railway, Render), and server (Nginx, Apache, Caddy). The detection is used to tailor the AI fix prompt with stack-specific instructions, like editing next.config.js for Next.js or adding headers in netlify.toml for Netlify.

vibeblame checks Content-Security-Policy (including unsafe-inline and unsafe-eval), Strict-Transport-Security (HSTS with max-age and includeSubDomains), X-Frame-Options for clickjacking protection, X-Content-Type-Options for MIME-sniffing prevention, Referrer-Policy, Permissions-Policy, and flags X-Powered-By if it's leaking your server stack.

The SEO scanner audits your page's title tag (presence and 30–60 character length), meta description (presence and 120–160 character length), h1 tag (exactly one required), Open Graph tags (og:title, og:description, og:image), canonical link, robots.txt, and llms.txt. Each issue is rated by severity so you know what to fix first.

After scanning, vibeblame generates a ready-to-use prompt tailored to your detected tech stack. Copy it and paste into ChatGPT, Claude, or your Cursor chat. The prompt describes every found issue with context — for example, instead of generic 'add CSP header', it says 'add CSP header to the headers() function in your next.config.js' if you're on Next.js. You get specific, actionable fixes, not generic advice.

Scan results are stored to generate a permanent shareable URL. We don't store the content of your application — only the security and SEO findings. Recent scans are shown on the homepage with just the domain name and score, without any sensitive details.

Most free scanners check only HTTP headers or only SSL certificates. vibeblame combines TLS validation, security headers analysis, JavaScript bundle scanning for source maps and leaked secrets, and SEO auditing in one scan. It also detects your tech stack automatically and generates a copy-paste AI fix prompt with stack-specific instructions — something no other free scanner offers.

Yes. vibeblame validates TLS protocol version (flags TLS 1.0 and 1.1 as critical), checks certificate expiry (warns if under 14 days), detects self-signed certificates, and verifies that the certificate domain matches your URL. This is checked via a direct TLS connection, not just an HTTP request.