Scan Methodology

How VibeScan works

VibeScan scans your app from the outside — the same perspective an attacker has. No code access, no credentials, no agent installed. Just a URL.

The scan process

01
You paste your app URL

VibeScan accepts any publicly accessible URL — your production domain, a staging environment, or a preview deployment. No account, no login, no code access required.

02
VibeScan makes an HTTP request to your app

VibeScan's scanner fetches your app URL from a server — the same request a browser or attacker would make. It captures the response headers, HTML body, and loaded JavaScript.

03
Security checks run against the response

Each check analyzes a specific aspect of the response: HTTPS enforcement, security header presence, CORS policy, and secret patterns in the page source. The checks are deterministic — no AI guessing, no false positives from ambiguous signals.

04
Results are scored and presented

Each finding is assigned a severity level (Critical, High, Medium, Low) based on the actual risk it represents. You get a full report with what was found, why it matters, and what to fix.

What VibeScan can and cannot see

✓ Can see
  • HTTP response headers
  • HTML page source
  • Inline and loaded JavaScript
  • CORS policy (from headers)
  • robots.txt content
  • SSL/TLS configuration
  • Publicly exposed secrets in source
✗ Cannot see
  • Your source code or git repository
  • Your database or its contents
  • Server-side environment variables
  • Authentication logic internals
  • API route authorization code
  • Third-party service configurations
  • Password-protected pages

Why outside-in scanning matters

When an attacker looks at your app, they start exactly where VibeScan starts: the publicly visible surface. They check your headers, look for secrets in your page source, probe your CORS policy, and scan your JavaScript for keys and tokens.

The vulnerabilities that are most dangerous are often the ones visible without any special access. A Supabase key in your page source, a wildcard CORS policy, missing X-Frame-Options — these can be found in seconds by anyone.

VibeScan gives you that attacker's-eye view of your own app, so you can fix what's visible before someone exploits it.

Was this helpful?
Next: What We Check →