A self-hosted web app that scans websites for security vulnerabilities and provides actionable fix recommendations. Built for developers who ship fast and want to verify their deployed apps are secure.
npm install
npm run devOpen http://localhost:3000, enter a URL, and scan.
- 18 scanner modules covering headers, TLS, cookies, CORS, auth flows, rate limiting, form security, subdomain enumeration, WebSocket security, dependency CVEs, and more
- 3 scan depths: Quick (4 modules), Standard (12 modules), Comprehensive (all 18)
- Real-time progress via Server-Sent Events -- see results as each module completes
- Technology fingerprinting detects 40+ technologies (Next.js, Vercel, Supabase, Firebase, Clerk, Stripe, Drizzle, tRPC, etc.) and provides stack-specific fix code
- Client-side JS analysis catches 21 secret patterns including OpenAI, Anthropic, Stripe, AWS, Resend, Groq, Neon, PlanetScale, and more
- AI fix prompt export -- copy findings as a prompt optimized for Claude Code, Cursor, or similar AI tools
- Markdown report export for sharing and tracking
- Authenticated scanning -- provide login credentials or paste a session cookie/token to scan pages behind authentication
- Per-directive CSP analysis -- correctly parses Content-Security-Policy directives individually
- Zero external dependencies -- all scanning uses Node.js built-ins
| Module | Quick | Standard | Comprehensive | What it checks |
|---|---|---|---|---|
| Security Headers | x | x | x | CSP (per-directive), HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
| Cookie Security | x | x | x | HttpOnly, Secure, SameSite flags |
| TLS/SSL | x | x | x | Certificate validity, expiry, protocol version |
| Tech Fingerprint | x | x | x | 40+ technologies: frameworks, BaaS, auth, payments, AI, deployment platforms |
| CORS | x | x | Wildcard origins, credentials with wildcard, reflective origin, null origin | |
| Info Disclosure | x | x | .env, .git, source maps, debug endpoints, package.json, GraphQL Playground, Prisma/Drizzle Studio | |
| Open Redirects | x | x | Redirect parameter validation | |
| Error Responses | x | x | Stack traces, path disclosure, SQL errors in 4xx/5xx responses | |
| DNS Security | x | x | SPF, DMARC, DKIM records | |
| Auth Flow Analysis | x | x | OAuth provider detection, redirect_uri/state validation, NextAuth/Supabase Auth probing | |
| Rate Limiting | x | x | Login/API/sensitive endpoint rate limiting, WAF/CAPTCHA detection | |
| Form Security | x | x | HTTP form actions, third-party targets, CSRF tokens, file uploads | |
| JS Analysis | x | 21 secret patterns (API keys, tokens, DB connection strings) in JS bundles | ||
| API Discovery | x | Common API paths, unauthenticated access, GraphQL introspection | ||
| Mixed Content | x | HTTP resources loaded on HTTPS pages | ||
| Subdomain Enum | x | CT log queries, DNS brute-force, dangling CNAME detection (subdomain takeover) | ||
| WebSocket Security | x | WS endpoint discovery, origin validation, unauthenticated access, Socket.IO | ||
| Dependency CVEs | x | Library version extraction, known CVE matching, exposed package files |
Many applications expose different attack surfaces to logged-in users. The scanner supports two authentication modes:
- Username & Password -- enter your credentials and the scanner will attempt to log in automatically by trying common login endpoints. If the site uses CAPTCHAs, MFA, or OAuth, use the advanced mode instead.
- Cookie / Token -- paste a session cookie or bearer token directly. Useful when automatic login doesn't work, or when you already have a token.
Credentials and tokens are held in memory only for the duration of the scan and are never written to disk or stored server-side.
This scanner is designed as a passive detection tool:
- Only sends standard HTTP requests -- no exploitation attempted
- SSRF protection blocks scanning of private IPs, localhost, and cloud metadata endpoints
- Self-rate-limits to prevent overwhelming the target
- Results and credentials exist only in memory during the scan -- nothing is stored server-side or written to disk
- No authentication required to use the scanner -- fully open and self-contained
Only scan websites you own or have explicit permission to test.
- Next.js 15 (App Router)
- TypeScript
- Tailwind CSS + shadcn/ui
- No database, no auth, no external services
MIT -- Copyright (c) 2026 Noam Raz / Pleasant Secret Labs