It works ≠ it's safe to ship

Your vibe-coded app is leaking data right now.

Paste your URL. We fingerprint your stack and show you exactly what a stranger can read — in 30 seconds.

Free score · full report $19 · we never store your data

built in public by @artem_vysotskyi →

Free scan

SAFETY

LEAKRANKDATA EXPOSED

Supabase detected

users table readable

orders writable

HTTPS + headers

3 tables open · 1.2k rows

scan yours → leakrank.com

1,284 apps scanned · 44% leaking data · live

One scanner · works with

SupabaseFirebaseConvexClerkCustom API

What you get

The scan is free and shows you the damage. The $19 report tells you exactly how to fix it. Connect your repo and we keep watching for the bugs a URL can't see.

The scanfree

0–100 score + grade

Problem areas, named

Proof of one live leak

Exact tables / files / lines

Agent fix-prompt

Free scan →

The fix reportBest value

$19 once

Exact table, file + line per issue

Copy-paste fix prompt for your agent

PDF + verified badge

Unlimited re-scans

Get the report — $19

ContinuousTier 2

$29–49/mo

Connect GitHub + Vercel

Catches code-logic bugs (IDOR, broken auth)

Scans every deploy

Alerts the moment you regress

See what it catches →

fix-report.txt — what the $19 buys

# paste into Cursor / Claude Code:
You are a security engineer. Fix each issue below,
show file diffs, don't break functionality.

[CRITICAL] Supabase RLS disabled on public.users
  → enable RLS; add a policy: auth.uid() = user_id
  → 1,284 rows are readable with the anon key right now
[CRITICAL] orders table writable by anyone
  → add insert/update/delete policies scoped to owner
[HIGH] service_role key in client bundle
  → move to server env, rotate the leaked key now

List what you changed and which keys to rotate.

What we scan

Four checks from your URL alone — then Tier 2 reads your code for the logic bugs a URL scanner physically can't see.

Database exposure

RLS / security rules off — tables a stranger can read or write with your public key.

Leaked secrets / keys

API keys, service-role tokens and .env values sitting in your client bundle.

Auth & endpoints

Admin routes and APIs that answer without a session, plus missing security headers.

Deploy hygiene

Source maps, debug routes and stack traces left switched on in production.

05 · TIER 2

Code logic

IDOR, backwards auth-middleware, frontend-only role checks. Connect GitHub + Vercel — these never show up from the URL.

0–100

Find out before a stranger does.

Free score in 30 seconds · no signup · we never store your data.

Get my free scan →