Methodology

How VibeScan works.

This page explains exactly how VibeScan scans apps, what evidence each check uses, what VibeScan cannot see, and where false positives can occur. Transparency is how a security tool earns trust.

The scanning model

VibeScan is a black-box scanner — it tests only what is publicly visible from the outside, without any code access, credentials, or authentication. This is the same view an attacker or any anonymous visitor has.

Every scan is a series of real HTTP requests made from VibeScan's servers to your app. We make no attempts to authenticate, exploit vulnerabilities, or modify data. We observe and report — nothing more.

What we do
  • Make HTTP/HTTPS requests to your URL
  • Read publicly visible response headers
  • Fetch and analyze public JavaScript bundles
  • Test CORS policy with synthetic origin headers
  • Check unauthenticated Supabase REST endpoints
  • Parse robots.txt and page HTML
What we never do
  • Access your source code or repository
  • Attempt to authenticate as a user
  • Exploit vulnerabilities or extract data
  • Modify, create, or delete any data
  • Store your application's data
  • Share scan results with third parties

Individual checks

Each check is deterministic — based on a specific observable condition, not heuristics or scoring models.

HTTPS enforcement

Critical

Method: HTTP GET request to the plain http:// version of the URL. Checks whether the server issues a redirect to HTTPS or serves over plain HTTP.

Evidence shown: HTTP status code (301/302 redirect vs 200 with no upgrade).

Security response headers

Medium–High

Method: Checks HTTP response headers on the root page for: X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy.

Evidence shown: Presence or absence of each header in the HTTP response.

CORS policy

High

Method: Sends a cross-origin preflight request with a foreign Origin header to detected API endpoints. Checks whether Access-Control-Allow-Origin is set to *, null, or a specific origin.

Evidence shown: Access-Control-Allow-Origin header value in the response.

Exposed secrets in JavaScript bundles

Critical

Method: Fetches the page HTML, parses <script src="..."> tags, fetches each JS bundle, and pattern-matches against known secret formats: Supabase anon keys (eyJ...), Stripe publishable keys, JWT patterns, Firebase configs, and generic API key patterns.

Evidence shown: Matched pattern with truncated value shown in report.

Supabase RLS signals

Critical

Method: If a Supabase URL and anon key are found, makes an unauthenticated REST API query to the detected project. If a 200 response returns row data without an Authorization header, this is flagged as an RLS signal.

Evidence shown: HTTP status and response body structure from the Supabase REST API.

robots.txt sensitive path disclosure

Low

Method: Fetches /robots.txt and checks Disallow rules for patterns that reveal sensitive paths: /admin, /api, /internal, /staging, etc.

Evidence shown: Specific Disallow entries in robots.txt.

Mixed content

Medium

Method: Parses the HTML source for http:// references in <script>, <img>, <link>, and <iframe> tags on an HTTPS page.

Evidence shown: URLs of mixed content resources found in page source.

Open redirect signals

High

Method: Tests common redirect parameters (?redirect=, ?url=, ?next=, ?return=) with an external URL as the value. Checks whether the server follows the redirect to the external domain.

Evidence shown: Location header in the 3xx response.

Accuracy and limitations

False positives

VibeScan uses pattern matching on response data. In rare cases, a legitimate API key format in a public code example or documentation comment in a JS bundle may trigger a secrets finding. Every finding shows the raw evidence so you can verify it yourself. If you believe a finding is incorrect, email hello@vibescan.space.

False negatives

VibeScan cannot see authentication-gated content. If your admin panel is behind a login, VibeScan cannot test whether the admin API routes are properly protected. It also cannot detect server-side vulnerabilities (SQL injection, server-side template injection, insecure deserialization) as these require sending crafted payloads, which VibeScan does not do.

RLS detection limitations

VibeScan detects signals of missing Row Level Security — specifically, whether unauthenticated requests to Supabase REST endpoints return row data. This is a strong indicator but not a definitive audit. A full RLS review requires examining your Supabase policy configuration directly.

CORS detection scope

VibeScan tests CORS on the root URL and detected API paths. It cannot enumerate all endpoints in your application. An endpoint VibeScan doesn't discover will not be tested.

Dynamic apps

VibeScan makes a single pass over your app. Findings in JavaScript that is loaded lazily (via dynamic imports or after user interaction) may not be detected.

Responsible disclosure

VibeScan is a security product and we take the security of our own infrastructure seriously. If you discover a vulnerability in VibeScan itself — in the scanning engine, the API, or any web property — please report it responsibly.

Our disclosure policy
  • 1.Email security@vibescan.space with a description of the vulnerability and steps to reproduce.
  • 2.We will acknowledge receipt within 48 hours.
  • 3.We will provide a timeline for remediation within 7 days.
  • 4.We ask for 90 days before public disclosure to allow time to fix the issue.
  • 5.We do not pursue legal action against researchers acting in good faith.
security@vibescan.space

Data handling

When you run a scan, VibeScan processes your app's public HTTP responses on our servers. Here is exactly what we store and what we don't:

We store
  • The URL you scanned
  • The scan results (findings + score)
  • The scan timestamp
  • A generated scan ID for the shareable link
We do not store
  • Your source code
  • Full API key values (truncated only)
  • User account data from your app
  • Database contents

Questions about our methodology?

Reach out at hello@vibescan.space. We're happy to explain any check in detail.

Scan my app free →Read the docs