Security scanner

Security Scanner for Cursor Apps

Cursor-built apps are often sophisticated and full-featured — but the AI code generation patterns create predictable security gaps around auth, data validation, and secret handling that VibeScan can identify in seconds.

https://

✓ Free  ·  ✓ No login required  ·  ✓ Results in under 60 seconds

89%
of Cursor apps have at least one critical issue
< 60s
to get your full report
5 checks
run automatically on every scan
Free
no credit card, no account
Common vulnerabilities

The security issues we find in most Cursor apps

Cursor lets you write and ship code faster than ever before. But AI-assisted development has a repeatable blind spot: authentication and authorization logic is often placed on the client side where it can be bypassed.

Client-side authentication checks that are easily bypassed
Cursor frequently generates code that hides UI elements or redirects unauthenticated users on the client side. But if the API route behind that UI does not verify authentication independently, anyone can call it directly. Hiding a button is not the same as protecting the endpoint.
Hardcoded API credentials in generated code snippets
When you ask Cursor to integrate a third-party API, it sometimes generates code with placeholder keys that get replaced with real values — but those real values end up in your source files and potentially in your bundle. A git history search can reveal credentials that were added and then "removed".
Missing server-side input validation
Cursor-generated API handlers often validate inputs on the frontend but skip the same validation on the server. An attacker can bypass the frontend entirely and send malformed data directly to your API, causing unexpected behavior or database corruption.
Stack traces and internal paths in error responses
Cursor-generated error handling commonly returns the full error object in API responses during development. When deployed without cleanup, these traces reveal your framework version, file paths, database structure, and other information that maps your attack surface.
Unprotected admin and internal routes
Cursor generates working admin interfaces quickly, but the routes powering them are sometimes accessible without authentication. A URL like /api/admin/users or /api/internal/stats may return sensitive data to anyone who knows to ask.
Missing CSRF protection on state-changing endpoints
Cursor apps built without explicit CSRF middleware are vulnerable to cross-site request forgery. An attacker's website can trick a logged-in user's browser into making requests to your API — deleting data, changing settings, or transferring funds — without the user's knowledge.
What VibeScan checks

Every scan runs 8 automated checks

VibeScan looks at everything publicly visible in your Cursor app — the same things an attacker would look at on day one.

  • HTTPS enforcement — verifies all traffic is encrypted
  • Security headers — X-Frame-Options, CSP, HSTS, X-Content-Type-Options
  • CORS policy — detects wildcard origin policies
  • Exposed secrets — scans for API keys, JWT tokens, credentials in page source
  • Sensitive paths in robots.txt — identifies admin and internal route exposure
  • Authentication header leakage — finds Bearer tokens in client-side code
  • Supabase credential detection — flags exposed database keys
  • Mixed content detection — identifies insecure resource loading
Scan your Cursor app now

Paste your app URL and get a full security report in under 60 seconds. Free, no signup.

https://
FAQ

Common questions about Cursor security

My Cursor app uses Next.js — are there security issues specific to Next.js I should know about?
Yes. Common Next.js security issues include: exposing server-only environment variables by accidentally prefixing them with NEXT_PUBLIC_, returning sensitive data in getServerSideProps that ends up in the page JSON, and API routes that do not verify the Authorization header.
How do I make sure my Cursor-generated API routes check authentication?
Every API route that returns or modifies user data should start with an authentication check. In Next.js, use getServerSession (NextAuth) or verify your Supabase JWT before proceeding. Ask Cursor to add an auth check to every API route as a first step.
Can VibeScan detect if my admin routes are unprotected?
VibeScan flags admin paths that appear in your robots.txt file and scans for common admin URL patterns in your page source. It cannot actively test each route for authentication — but it identifies the signals that suggest routes may be exposed.
Is it safe to put my database URL in a Next.js environment variable?
Yes, if you use it only on the server side. Never prefix a database URL with NEXT_PUBLIC_ — that ships the value to every user's browser. Server-only environment variables in Next.js are safe as long as they are never referenced in client components.
How often should I run a security scan on my Cursor app?
Run a scan before every major deployment, and any time you add a new third-party integration or change your authentication system. Security posture can change with a single commit — VibeScan makes it easy to check in under 60 seconds.

Is your Cursor app secure?

Paste your URL. Get a full security report in under 60 seconds — free, no login required.

Scan my Cursor app free →