VIBESCANSCAN METHODOLOGY
How VibeScan works — transparency about what we check, how we score, and what we cannot detect
Important: VibeScan performs automated, non-intrusive checks only. We do not perform penetration testing, attempt to exploit vulnerabilities, or access any data beyond what is publicly visible. All checks are passive and read-only.
How a Scan Works
When you submit a URL, VibeScan performs the following steps:
- Fetch: We send a single HTTP GET request to your URL using a standard browser User-Agent, simulating what a visitor would see.
- Analyse: We analyse the HTTP response headers, HTML source code, and loaded JavaScript for patterns associated with security vulnerabilities and compliance issues.
- Check exposed files: We probe a small set of common sensitive file paths (e.g. /.env, /.git/config) to check if they are publicly accessible.
- Score: We calculate a score from 0–100 based on the findings. See scoring below.
- Report: We generate a prioritised report with findings, explanations, and step-by-step fix instructions.
The entire process takes between 10 and 60 seconds depending on the target server response time.
Security Checks
API Key & Secret Detection
We scan the page source for patterns matching known API key formats including OpenAI, Google, AWS, Stripe, Slack, and GitHub tokens. These checks use regex pattern matching against publicly visible HTML and JavaScript. We do not attempt to validate or use any keys found.
Exposed Sensitive Files
We probe the following paths to check if they return a 200 response with sensitive content:
- /.env
- /.env.local
- /.env.production
- /.git/config
- /config.json
HTTP Security Headers
We check for the presence of the following response headers, which are recommended security best practices:
- X-Frame-Options — prevents clickjacking attacks
- X-Content-Type-Options — prevents MIME type sniffing
- Strict-Transport-Security (HSTS) — enforces HTTPS at browser level
- Content-Security-Policy — mitigates XSS and injection attacks
- Referrer-Policy — controls referrer information leakage
- Permissions-Policy — restricts access to browser features
HTTPS & Mixed Content
We verify whether the site is served over HTTPS and check for mixed content (HTTP resources loaded on an HTTPS page).
Framework Detection
We detect common AI-built app frameworks (Supabase, Firebase) and flag known high-risk default configurations such as disabled Row Level Security. These are advisory flags — we cannot verify the actual database configuration remotely.
XSS Indicators
We scan for patterns in the HTML and JavaScript source that are commonly associated with Cross-Site Scripting risks, including unsafe DOM manipulation patterns.
Debug Information Exposure
We count console.log() calls in the served JavaScript. A high number of debug logs in a production build can expose internal application structure.
Legal Compliance Checks (Full Scan)
- Privacy Policy — checks for a link to a privacy policy document (GDPR Article 13)
- Terms of Service — checks for a link to terms of service
- Cookie Consent Banner — detects analytics scripts and checks for a consent banner (GDPR / ePrivacy)
- Image Alt Text — counts images missing alt attributes (WCAG 2.1 / ADA)
- Contact Information — checks for a contact page or mailto link (GDPR requirement)
Scoring
The security score is calculated on a 0–100 scale starting at 100, with deductions for each finding:
| Severity | Score Deduction | Examples |
|---|
| Critical | −25 points each | Exposed API key, exposed .env file |
| High | −12 points each | No HTTPS, missing privacy policy, HSTS missing |
| Medium | −5 points each | Missing CSP, X-Frame-Options, cookie consent |
| Low | −2 points each | Missing Referrer-Policy, debug logs |
The minimum score is 0. A score of 70+ is considered good. 40–69 needs attention. Below 40 has critical issues requiring immediate action.
Limitations
VibeScan is an automated tool with inherent limitations. The following are outside the scope of our scans:
- Database configuration — we cannot verify Supabase RLS policies or Firebase rules remotely. We flag these as advisory items when we detect these frameworks.
- Authentication vulnerabilities — we cannot test login endpoints, rate limiting, or session management without performing active attacks.
- Server-side code — we can only analyse what is publicly visible in the browser. Server-side logic, API endpoints, and backend vulnerabilities are outside our scope.
- Business logic flaws — application-specific vulnerabilities require manual review.
- Zero-day vulnerabilities — newly discovered vulnerabilities may not yet be in our detection patterns.
- Legal advice — our compliance checks are automated pattern matching. They do not constitute legal advice. Consult a qualified legal professional for definitive compliance assessment.
Responsible Disclosure
If you discover a vulnerability in VibeScan itself, please contact us at necatidenli10@gmail.com. We take security seriously and will respond promptly.