AI
AIExposureTool
Security

Startup Security Check — 19 Points, 15 Seconds

Most startup security incidents are preventable. Leaked API keys, exposed .env files, missing security headers — these are detectable in seconds with a passive scan. Run one before you find out the hard way.

Run free security scan See all 19 checks
78%
of startup sites missing CSP header
23%
of AI-built apps have exposed API keys
11%
serve .env files publicly

What happens when these issues are exploited

Critical

Leaked Stripe key

Attacker creates refunds, modifies subscriptions, or charges arbitrary amounts to your account.

Critical

Exposed Supabase service role key

Full read/write/delete access to your entire database — all user data, all tables.

Critical

Exposed .env file

All secrets in one file — database URL, API keys, JWT secrets — served publicly at /.env.

High

Missing CSP header

XSS vulnerabilities can inject scripts on your pages — stealing sessions, redirecting users.

High

Missing HSTS header

SSL stripping attacks can downgrade HTTPS to HTTP on repeat visits.

Medium

CORS wildcard on API

Any website can make authenticated requests to your API using a user's browser session.

Medium

Source maps in production

Exposes original source code — including comments, internal logic, and any inline secrets.

What you get from the scan

Security Grade (A-F) — one number for stakeholders
Full breakdown of all 19 checks passed/failed
API key leak detection across 17 secret patterns
Security header audit (CSP, HSTS, X-Frame-Options, and more)
Exposed file detection (.env, .git, source maps)
Copy-paste fix prompts for Claude, Cursor, ChatGPT, Gemini
Re-scan after fixes to verify
Free — no signup required for first scan

Questions

Why should startups run a security check early?

Early-stage startups are frequently targeted because attackers assume security wasn't a priority. A leaked Stripe key or exposed Supabase service role key can drain your payment account, wipe your database, or expose all user data. Catching a leaked key before you have 10,000 users is trivially easy to fix; catching it after a public breach is a company-ending event.

Is this scan safe to run on a production site?

Yes — completely passive and read-only. It makes the same GET requests a browser makes. No login attempts, fuzzing, form submissions, or anything that could affect your site. It checks what is already publicly visible.

What's the most common security issue found in startups?

Missing security headers (CSP, HSTS) are by far the most common — missing on ~78% of scanned startup sites. API key leaks in JavaScript bundles are the most severe, affecting ~23% of recently launched apps, especially those built with AI coding tools.

Run your startup security check

Free. No signup. 19 checks in 15 seconds. Security Grade (A-F) instantly.

Run free security scan

Related

All 19 security checks documentedFor AI-built SaaSPublic scan vs. secret scanningHow secret detection works
Startup Security Check — Free 19-Point Website Security Audit | AIExposureTool | AIExposureTool