Public surface
Things a clean anonymous session can verify without source-code access.
- Security headers and frame protection
- Public source maps and build artifacts
- Secret-shaped strings in client bundles
- CORS, cookies, and HTTPS posture
> ai app security scan
An AI app security scan should first test what an outside visitor can reach: response headers, exposed build files, public source maps, CORS, cookies, client-bundle secrets, platform metadata, and unauthenticated API responses. Use that public-surface scan before you share the URL, then separately review code-level authorization, payment logic, and tenant isolation.
> scan map
Things a clean anonymous session can verify without source-code access.
Signals that an endpoint or storage layer may be reachable without the intended session.
Checks a public scan cannot honestly prove from the outside.
> where vibecodeguard fits
VibeCodeGuard is the first pass for a deployed AI-built web app: paste the public URL, get ranked findings with evidence, then use the report to decide what must be fixed before launch.
> limits
> sources
> faq
Start with the public URL. Check headers, exposed files, source maps, CORS, cookies, client-side secrets, and unauthenticated data responses before you review deeper account-specific logic.
No. A public scan can flag reachable unauthenticated routes, but tenant isolation and role enforcement require account-aware testing or code review.
Run it before sharing the production or staging URL, after major AI-generated changes, and again after fixing any high or critical findings.