WHAT WE SCAN

Every check, in plain English.

AI builders ship the feature — not always the safeguards behind it. Snytchr checks the protections a real production app needs, grouped by what could go wrong. Here’s the full list.

Why vibe-coded apps need this

Your database can be wide open

AI builders often scaffold your database without enabling row-level security — so the anon key shipped in your app can read the whole table. It's the single most common breach in vibe-coded apps.

Secret keys ship to the browser

“Put your key here” frequently means the client bundle. Anyone who opens your app can copy a key that was meant to stay on your server and use it on your bill.

Nothing slows down abuse

Without rate limiting or bot protection, your login, sign-up, and AI endpoints can be hammered — brute-forced, spammed, or run up into a surprise invoice.

A URL change reaches other users

When access checks aren't enforced on the server, changing an ID in the URL can surface admin pages or another person's records.

Authentication & Access

User authentication

Essential

Authentication is how your app knows who each user is. Without it, anyone can act as anyone — there's no such thing as a private account or 'my data'.

Authorization / access control

Recommended

Authentication proves who you are; authorization decides what you're allowed to do. Without it, a logged-in user can often reach admin actions or other people's records just by changing a URL or an ID.

Password hashing

When it applies

If your app stores passwords itself, they must be hashed with bcrypt or argon2 — never in plain text. A plain-text password leak means every user's password (and any password they reuse elsewhere) is compromised.

Auth tokens kept out of localStorage

Recommended

Storing a login token or session in localStorage means any injected script (an XSS bug, a compromised dependency) can read it and take over the account. Tokens belong in HttpOnly cookies the browser won't expose to JavaScript.

Data Protection

Database row-level security (RLS)

Essential

Row-level security is the database rule that stops one user from reading or changing another user's rows. On Supabase/Firebase, if RLS (or security rules) are off, your anon key can read the entire table — the single most common breach in vibe-coded apps.

Private file storage

Essential

If your file storage bucket is public, anyone can list and download every uploaded file (IDs, receipts, private images) — or upload their own. Buckets holding user data must be private with per-user access rules.

Input & Injection Safety

Input validation

Essential

Input validation checks that data coming from users is the right shape before your app trusts it. Without it, malformed or malicious input reaches your database and business logic — the root cause of most data corruption and injection bugs.

HTML sanitization (XSS protection)

Recommended

If your app ever renders raw HTML from users (rich text, comments, bios), a sanitizer strips out malicious scripts. Without it, an attacker can inject code that runs in other users' browsers and steals their sessions.

CSRF protection

Recommended

CSRF protection stops a malicious website from making requests to your app using a logged-in user's cookies. Without it, a user who visits a bad link could unknowingly change their settings or make a purchase on your app.

Safe database queries (ORM / parameterized)

Essential

An ORM or parameterized queries keep user input separate from your SQL, which blocks SQL injection — one of the oldest and most damaging attacks, letting an attacker read or wipe your entire database. Building queries by gluing strings together is the dangerous alternative.

Safe file-upload handling

Recommended

File uploads are one of the most-attacked features. Without size and content-type limits, an attacker can exhaust your storage or upload a hostile file that runs when someone opens it.

Secrets & Credentials

Environment/secrets validation

Recommended

Env validation makes your app fail loudly at startup if a required secret (API key, database URL) is missing or malformed — instead of crashing mysteriously in production or, worse, shipping a broken build to users.

No exposed API keys / secrets

Essential

Secret API keys (database service keys, AI keys, payment keys) must stay on the server. If one is shipped to the browser or committed to your code, anyone can copy it to read your data or run up your bills.

Dependencies & Supply Chain

No known-vulnerable dependencies

Essential

Most breaches start with a known-vulnerable dependency. If a package you use has a published CVE, attackers already have the exploit — you just have to be running the old version.

Infrastructure & Transport

Security headers (CSP, HSTS, etc.)

Recommended

Security headers tell browsers to enforce protections like blocking mixed content, framing, and inline scripts. Without them, your app is more exposed to clickjacking and cross-site script injection.

HTTPS / secure transport

Essential

HTTPS encrypts traffic between your users and your app so passwords and personal data can't be read or tampered with in transit. A site served over plain HTTP leaks everything on any shared network.

Safe CORS configuration

Recommended

CORS controls which other websites can call your API from a browser. A wildcard or reflected origin combined with credentials lets any site read your users' data across origins.

Secure cookie flags

Recommended

Session cookies without Secure, HttpOnly, and SameSite can be stolen over plain HTTP, read by injected scripts, or sent along in cross-site requests — a direct path to account takeover.

Abuse & Performance

Rate limiting

Essential

Rate limiting caps how often one person can hit your app. Without it, someone can hammer your login, sign-up, or AI endpoints thousands of times a minute — brute-forcing passwords, spamming emails, or running up a huge bill.

Bot / abuse protection

Recommended

Bots find new apps fast and abuse open forms — fake sign-ups, spam submissions, credential stuffing. A CAPTCHA or bot-detection layer on sensitive forms stops most automated abuse before it costs you.

Caching layer

Recommended

Caching keeps your app fast and your database bill low by not re-fetching the same data on every request. It also absorbs traffic spikes so a burst of users doesn't melt your database.

AI Safety

AI safety controls

Recommended

Apps that call an AI model have their own attack surface: user text reaching the prompt (prompt injection), model output rendered without sanitizing, the API key shipped to the browser, and no token/rate limits (runaway bills).

Monitoring & Logging

Error monitoring

Recommended

Error monitoring tells you when your app breaks for real users — with the stack trace to fix it — instead of you finding out days later from an angry customer. Launching without it means flying blind.

Structured logging

Recommended

Structured logs are your audit trail — who did what, when, and what failed. When something goes wrong in production, logs are often the only way to reconstruct it. console.log scattered around doesn't cut it at launch.

No secrets/PII in logs

Recommended

Logs are stored with weaker access controls than your database. Writing passwords, tokens, sessions, or personal data to logs quietly leaks it to anyone who can read your hosting logs.

Integrations & Webhooks

Payment webhook signature verification

When it applies

Your app takes payments, so it receives webhooks from the payment provider. Without verifying each webhook's signature, an attacker can send a fake 'payment succeeded' event and unlock paid features for free.

Transactional email

When it applies

Transactional email (verification, password reset, receipts) is part of a complete product. A configured provider like Resend means these actually reach users' inboxes instead of failing silently.

Production Readiness

Automated tests

Recommended

Automated tests catch regressions before your users do. Even a handful of tests on your critical flows (sign-up, checkout) means you can ship changes without breaking what already worked.

Continuous integration (CI)

Recommended

A CI pipeline runs your build, type-check, and tests automatically on every change — so broken code is caught before it reaches production instead of after users hit it.

No debug output in production

Recommended

Shipping source maps, verbose server banners, or with type/lint checks disabled hands attackers your original code and version details, and lets bugs reach production. Production builds should be lean and quiet.

See how your app measures up.

Paste your URL and get a launch verdict in 30 seconds — free, read-only, no signup.

Scan your app free