RepoFort
Built for vibe-coded apps

Your AI built the app. We check if it's secure.

RepoFort scans your codebase and live site for the security gaps AI coding assistants leave behind — before your users, or someone else, finds them first.

Scan my app freeSee what we find

No credit card required · Free tier · Results in under 60 seconds

repofort — repo + live site · 26 checksLive
$ repofort scan --full https://my-saas-app.vercel.app
✓ Fetching repository + live site
✓ Running 26 security checks
⚠ Supabase RLS disabled on 3 tables
Critical
⚠ Stripe webhook has no signature check
Critical
⚠ Missing Content-Security-Policy header
High
⚠ CORS allows all origins (*)
High
✓ Scan complete · Score: 48 / 100 · Grade F
26
Security checks
per scan
A – F
Letter grade
for every project
< 60s
First results
no waiting around
0
Installs
paste a URL, done

Common risks: Supabase RLS disabled, Stripe webhook unsigned, CORS wildcard origin, Secrets committed to git, Admin route exposed, Missing CSP header, Server action without auth, Leaked error messages, Insecure cookie flags, No ownership checks, API key hardcoded, JWT secret in source

The gaps your AI assistant missed

AI focuses on making it work. Not on making it safe.

These are the most common security issues we find in vibe-coded apps — shipped silently, exploited loudly.

Supabase RLS not enabled

Critical

Tables without Row Level Security expose all user data via the public API.

Stripe webhook unverified

Critical

No signature check means anyone can fake a payment and trigger order fulfillment.

Server action without auth

High

Next.js server actions that mutate the database without checking the session.

Missing ownership checks

High

Update and delete operations that don't verify the record belongs to the caller.

Insecure cookie flags

Medium

Cookies set without Secure, HttpOnly, or SameSite=Strict attributes.

Error message leakage

Medium

API routes that return error.message, leaking file paths and table names.

+ view all checks in the Security Guide →

How it works

From zero to secured in under a minute

1

Connect your project

Paste your GitHub repo URL, your live site URL, or both. No installs, no tokens required.

Full
Code
URL
https://my-saas-app.vercel.app
Scan now →
2

Watch the scan run

Our engine checks your code for secrets and auth gaps, and probes your live site for misconfigurations. Done in under a minute.

Scanning…73%
Checking auth routes
Supabase RLS policies
HTTP headers…
3

Ship guided fixes

Every finding explains the risk and hands you a copy-paste code snippet to resolve it. No security background needed.

Score 54/100Grade D
RLS disabledCRITICAL
No CSP headerHIGH
→ View fix guide

Your security report

Plain English. Not a CVE dump.

Every finding tells you what the vulnerability is, what an attacker could do with it, and exactly how to fix it — written for builders, not security researchers.

  • Security score from 0–100 with a letter grade
  • Findings sorted by what matters most right now
  • Copy-paste code fixes you can ship in minutes
  • Separate code scan and live site scan results
Get your free report

Security Report

my-saas-app.vercel.app

Grade D · 9 findings

54
/ 100
3Critical
2High
1Medium
3Low
0Info
Supabase RLS disabled — users can read all rows
Critical
Stripe webhook handler has no signature verification
Critical
/api/seed route returns 200 in production
Critical
Server action writes to DB without auth check
High
Missing Content-Security-Policy header
High
error.message returned in API response body
Medium
Scan completed in 42 seconds · 9 findings across 2 scan types

Inside every finding

Not just a warning. A complete fix.

Every finding in your report explains the vulnerability, the real-world risk, and hands you a copy-paste code snippet to resolve it. No googling, no guessing.

  • Risk callout — what an attacker can actually do
  • Plain-English recommendation — what to change
  • Copy-paste code fix — drop it straight into your project
  • Security Guide link — deep-dive on the rule

Strict-Transport-Security header missing

Strict-Transport-Security
High
HEADERS
high confidence

Description

The response does not send an HSTS header over HTTPS, so clients may be vulnerable to downgrade attacks.

Risk

Without HSTS, browsers may connect over plain HTTP first, allowing attackers to intercept the connection before any HTTPS redirect occurs — a technique known as SSL-stripping.

Recommendation

Add a Strict-Transport-Security header with an appropriate max-age (e.g. includeSubDomains).

Code Fix

Copy and paste this into your project to resolve the issue

// Add inside your headers() array in next.config.ts
{
  key: 'Strict-Transport-Security',
  value: 'max-age=63072000; includeSubDomains; preload',
}
Learn more in the Security Guide

From the builders

Real issues. Fixed fast.

Found 3 critical bugs in my Supabase setup I had no idea about. The fix instructions were so clear I patched everything in 20 minutes.

Alex M.

Built a fintech SaaS with Cursor

I was about to launch and ran this out of curiosity. My Stripe webhook had zero verification. Scary to think what could have happened.

Sarah K.

Indie maker, solopreneur

The security grade is a game-changer for client work. I can show an A rating instead of just saying 'yeah it's secure.'

James L.

Freelance developer

Built for the vibe-coding stack

Next.jsSupabaseVercelStripePrismaClerkOpenAIResendTailwindshadcn/ui
score: 94/100 · grade A

Don't wait for a breach to find out what was left unsecured.

Run your first scan in under a minute. Free tier includes 1 project and 5 scans per month. No credit card required.

Start for freeBrowse all checks
No install requiredResults in 60 secondsPlain English reportsFree to start
RepoFort — Security Scanning for Developers