Catalogue
175 checks vibecheck runs.
Every rule, grouped by category and severity. Each entry links to a fix guide with the why and the patch.
67 critical
45 high
28 medium
22 low
13 info
Categories
22 families.
- Supabase + Postgres exposure
- Firebase + Backend-as-a-Service
- OAuth misconfigurations
- JSON Web Token issues
- Supply chain (SRI, CDN)
- iframe permissions
- Service Workers
- Cross-window messaging (postMessage)
- /.well-known/ disclosure
- GraphQL endpoint exposure
- Password form hardening
- CSP effective-mode simulation
- Exposed config / credential files
- Credentials in URLs + WebSocket auth
- Client-side storage + XSS hardening
- Cookie flags
- Response headers + CSP
- Open redirects
- Self-hosted platform defaults
- Framework + dev artefacts
- Information leaks
- Secrets in client bundles
Supabase + Postgres exposure 7
Anon keys without RLS, service-role keys in the client, public table reads, public storage buckets.
| Severity | Rule | What it catches |
|---|---|---|
| critical | postgres_connection_string |
Postgres connection string with credentials in client code |
| critical | supabase_service_role_jwt_pattern |
Supabase personal access token (sbp_*) in client code |
| critical | service_role_key_exposed |
Supabase service_role key exposed (alias) |
| critical | supabase_service_role_in_client |
Supabase service_role key in your client bundle |
| high | rls_policy_not_working |
Supabase RLS policy isn't blocking unauthorized reads |
| high | open_supabase_storage_bucket |
Supabase Storage bucket marked Public |
| high | supabase_anon_only_no_rls |
Supabase tables readable without authentication |
Firebase + Backend-as-a-Service 9
Firestore/RTDB rules wide open, public storage buckets, Convex/Appwrite/Pocketbase mistakes.
| Severity | Rule | What it catches |
|---|---|---|
| critical | firebase_rtdb_open |
Firebase Realtime Database root readable without authentication |
| high | appwrite_collection_public_read |
Appwrite collection readable without authentication |
| high | convex_function_no_auth |
Convex query/mutation returns data without authentication |
| high | firebase_storage_public_list |
Firebase Storage bucket allows anonymous list |
| high | firestore_collection_public_read |
Firestore collection readable without authentication |
| high | pocketbase_list_rule_blank |
Pocketbase collection records readable without authentication |
| medium | pocketbase_collections_metadata_public |
Pocketbase collections metadata readable without auth |
| info | convex_deployment_exposed |
Convex deployment URL exposed in client |
| info | firebase_project_exposed |
Firebase project ID exposed in client |
OAuth misconfigurations 6
client_secret in client, http:// redirects, dynamic redirect URIs, implicit flow, missing state/PKCE.
| Severity | Rule | What it catches |
|---|---|---|
| critical | oauth_client_secret_in_client |
OAuth client_secret embedded in client bundle |
| high | oauth_redirect_uri_dynamic |
OAuth redirect_uri built from user input or template |
| high | oauth_redirect_uri_http |
OAuth redirect_uri uses http:// (not HTTPS) |
| medium | oauth_missing_state |
OAuth authorize URL has no state parameter and no PKCE |
| medium | oauth_implicit_flow |
OAuth uses implicit flow (response_type=token) — deprecated |
| low | oauth_redirect_uri_localhost |
OAuth redirect_uri points at localhost in a production bundle |
JSON Web Token issues 5
alg=none, missing exp, long-lived tokens, admin claims in client-readable tokens.
| Severity | Rule | What it catches |
|---|---|---|
| critical | jwt_alg_none |
JWT in client bundle uses alg=none |
| high | jwt_admin_in_client |
Hardcoded JWT with privileged claims in client bundle |
| high | jwt_no_expiration |
JWT in client bundle has no exp claim |
| medium | jwt_long_lived |
JWT in client bundle has multi-month expiration |
| info | jwt_expired_in_client |
Expired JWT hardcoded in client bundle |
Supply chain (SRI, CDN) 2
Cross-origin scripts and stylesheets loaded without Subresource Integrity.
| Severity | Rule | What it catches |
|---|---|---|
| medium | missing_sri_external_script |
External script loaded without Subresource Integrity |
| medium | missing_sri_external_stylesheet |
External stylesheet loaded without Subresource Integrity |
iframe permissions 1
Dangerous Permissions Policy delegations to cross-origin frames.
| Severity | Rule | What it catches |
|---|---|---|
| high | iframe_dangerous_allow |
Iframe delegates dangerous browser features to a cross-origin frame |
Service Workers 3
Cross-origin worker registration, cross-origin importScripts, origin-wide scope.
| Severity | Rule | What it catches |
|---|---|---|
| critical | service_worker_cross_origin |
Service Worker registered from a third-party host |
| high | service_worker_imports_cross_origin |
Service Worker imports JavaScript from a third-party host |
| low | service_worker_origin_wide_scope |
Service Worker controls the entire origin (scope: '/') |
Cross-window messaging (postMessage) 2
Wildcard target origins, message listeners without origin validation — the OAuth/payment-popup token-leak class.
| Severity | Rule | What it catches |
|---|---|---|
| high | postmessage_listener_no_origin_check |
window 'message' listener doesn't validate event.origin |
| high | postmessage_wildcard_target |
window.postMessage() called with target origin '*' |
/.well-known/ disclosure 5
Standards-required discovery docs (OIDC, Apple AASA, Android assetlinks, Microsoft Entra) — public by design but worth confirming what's exposed matches intent.
| Severity | Rule | What it catches |
|---|---|---|
| low | android_assetlinks_exposed |
Android Asset Links file exposed |
| low | apple_aasa_exposed |
Apple App Site Association file exposed |
| low | microsoft_entra_association_exposed |
Azure AD / Entra app association exposed |
| info | openid_configuration_exposed |
OIDC discovery document exposed |
| info | openid_credential_issuer_exposed |
OpenID Connect verifiable credentials issuer metadata exposed |
GraphQL endpoint exposure 2
Introspection enabled in production, Playground / GraphiQL / Apollo Sandbox UI reachable on public endpoints.
| Severity | Rule | What it catches |
|---|---|---|
| high | graphql_introspection_enabled |
GraphQL introspection enabled in production |
| medium | graphql_playground_exposed |
GraphQL Playground / GraphiQL UI exposed in production |
Password form hardening 4
Cleartext form submission, missing autocomplete on password fields, outdated `autocomplete="off"` practices.
| Severity | Rule | What it catches |
|---|---|---|
| critical | password_form_over_http |
Password field on a page served over plain HTTP |
| high | password_form_action_http |
Password form submits over plain HTTP |
| low | password_field_no_autocomplete |
Password input has no autocomplete attribute |
| info | password_field_autocomplete_off |
Password field uses autocomplete="off" — outdated guidance |
CSP effective-mode simulation 3
Per-script CSP simulation: which inline and external scripts on the page would actually execute under the declared policy. Catches drift between strict CSPs and content updates.
| Severity | Rule | What it catches |
|---|---|---|
| high | csp_external_script_blocked |
External <script src=> blocked by declared CSP |
| high | csp_inline_script_blocked |
Inline <script> blocked by declared CSP |
| info | csp_inline_script_hash_pinned |
Inline scripts correctly pinned by CSP hash (positive signal) |
Exposed config / credential files 11
Deployed .env variants, .git directories, Rails config, ASP.NET web.config, htpasswd, and lock files revealing dep versions.
| Severity | Rule | What it catches |
|---|---|---|
| critical | exposed_env_file |
.env file accessible at your public root |
| critical | exposed_git_directory |
.git directory accessible at your public root |
| critical | exposed_htpasswd |
.htpasswd file exposed — password hashes leaked |
| critical | exposed_rails_database_yml |
Rails config/database.yml exposed |
| critical | exposed_rails_secrets_yml |
Rails config/secrets.yml exposed |
| high | exposed_env_staging |
.env.staging file deployed to production |
| high | exposed_web_config |
ASP.NET web.config exposed |
| medium | exposed_env_development |
.env.development deployed to production |
| low | exposed_nextjs_build_manifest |
Next.js _buildManifest.js exposed |
| low | exposed_composer_lock |
PHP composer.lock file exposed |
| low | exposed_gemfile_lock |
Ruby Gemfile.lock file exposed |
Credentials in URLs + WebSocket auth 3
Auth tokens and API keys passed in URL query strings, including WebSocket URLs (logs, history, Referer leak).
| Severity | Rule | What it catches |
|---|---|---|
| high | auth_token_in_websocket_url |
Auth token embedded in WebSocket connection URL |
| high | auth_token_in_url |
Auth token passed in URL query string |
| medium | api_key_in_url |
API key passed in URL query string |
Client-side storage + XSS hardening 2
Auth tokens in localStorage/sessionStorage (XSS scope), Trusted Types opt-in opportunities.
| Severity | Rule | What it catches |
|---|---|---|
| high | auth_token_in_localstorage |
Auth token stored in localStorage or sessionStorage |
| info | missing_trusted_types |
CSP does not opt in to Trusted Types |
Cookie flags 4
Auth cookies missing HttpOnly, Secure, or SameSite flags.
| Severity | Rule | What it catches |
|---|---|---|
| high | cookie_missing_httponly |
Auth cookie missing HttpOnly flag |
| high | cookie_missing_secure |
Auth cookie missing Secure flag |
| medium | cookie_missing_samesite |
Auth cookie missing SameSite flag |
| low | cookie_name_reveals_stack |
Cookie name reveals backend framework |
Response headers + CSP 15
Missing security headers, weak Content-Security-Policy, CORS misconfigurations, mixed content.
| Severity | Rule | What it catches |
|---|---|---|
| critical | cors_origin_reflected_with_credentials |
Server reflects arbitrary Origin AND sets Allow-Credentials: true |
| high | cors_acao_wildcard_with_credentials |
CORS Access-Control-Allow-Origin: * with Allow-Credentials: true |
| high | csp_unsafe_eval |
CSP allows 'unsafe-eval' in script-src |
| high | csp_unsafe_inline_scripts |
CSP allows 'unsafe-inline' in script-src |
| high | csp_data_uri_in_script_src |
CSP allows data: in script-src |
| high | csp_wildcard_script_src |
CSP script-src includes a wildcard or full-protocol scheme |
| high | cors_null_origin_allowed |
Server allows Origin: null |
| high | cors_origin_reflected |
Server reflects arbitrary Origin in Access-Control-Allow-Origin |
| medium | auth_page_missing_csp |
Auth page missing Content-Security-Policy |
| medium | auth_page_missing_hsts |
Auth page missing Strict-Transport-Security |
| medium | csp_missing_default_src |
CSP has no default-src directive |
| medium | mixed_content |
HTTPS page loads HTTP resources |
| low | missing_frame_protection |
No X-Frame-Options or CSP frame-ancestors header |
| info | csp_report_only |
CSP is in Report-Only mode |
| info | missing_security_txt |
No /.well-known/security.txt published |
Open redirects 1
Redirect-after-login endpoints that accept arbitrary external destinations.
| Severity | Rule | What it catches |
|---|---|---|
| medium | open_redirect |
Open redirect parameter accepts external URLs |
Self-hosted platform defaults 2
Self-hosted services (Grafana, Jenkins, WordPress, etc.) reachable with default credentials.
| Severity | Rule | What it catches |
|---|---|---|
| medium | drupal_changelog_exposed |
Drupal /CHANGELOG.txt publicly exposed |
| medium | wordpress_readme_exposed |
WordPress /readme.html publicly exposed |
Framework + dev artefacts 11
Source maps, dev-mode preview routes, verbose error pages, devtools enabled in production, exposed .git/.env.
| Severity | Rule | What it catches |
|---|---|---|
| high | exposed_sourcemap |
JavaScript source map deployed to production |
| high | nextjs_dev_in_production |
Next.js dev-mode bundle running on production URL |
| medium | php_error_disclosed |
PHP errors / warnings disclosed in responses |
| medium | redux_devtools_enabled |
Redux DevTools enabled in production |
| medium | verbose_error_stack_trace |
Stack trace returned in response to an unknown URL |
| low | generator_tag |
Generator meta tag reveals CMS / framework |
| low | react_devtools_enabled |
React DevTools enabled in production build |
| low | robots_txt_reveals_paths |
robots.txt reveals interesting paths |
| low | staging_hostname_in_client |
Staging / internal hostname in client code |
| low | vue_devtools_enabled |
Vue DevTools enabled in production build |
| info | robots_blocks_ai_crawlers |
robots.txt blocks AI crawlers |
Information leaks 11
API endpoints, internal URLs, prompt templates, GraphQL introspection, OpenAPI specs, and other structural disclosures.
| Severity | Rule | What it catches |
|---|---|---|
| high | discord_webhook_url |
Discord webhook URL in client code |
| high | slack_webhook_url |
Slack incoming webhook URL in client code |
| medium | js_comment_leak |
Developer comment in inline script |
| medium | html_comment_leak |
HTML comment with developer note |
| medium | swagger_ui_exposed |
Interactive Swagger UI exposed in production |
| medium | llm_prompt_template_in_client |
LLM system-prompt template shipped in client code |
| medium | openapi_spec_exposed |
OpenAPI / Swagger spec publicly exposed |
| low | internal_ip_in_client |
Private / internal IP address in client code |
| low | server_version_leak |
Server header includes version number |
| low | aspnet_version_leak |
X-AspNet-Version / X-AspNetMvc-Version headers exposed |
| low | x_powered_by_leak |
X-Powered-By header reveals server framework |
Secrets in client bundles 66
API keys, private credentials, and provider secrets that leaked into the deployed JavaScript bundle.
| Severity | Rule | What it catches |
|---|---|---|
| critical | anthropic_key |
Anthropic API key in your client bundle |
| critical | anthropic_key_in_client |
Anthropic key in client (alias) |
| critical | anyscale_token |
Anyscale API key in your client bundle |
| critical | atlassian_api_token |
Atlassian (Jira, Confluence, Trello) API key in your client bundle |
| critical | auth0_management_token |
Auth0 Management API token in client code |
| critical | aws_access_key_id |
AWS API key in your client bundle |
| critical | azure_storage_key |
Azure Storage connection string in client code |
| critical | brevo_api_key |
Brevo (formerly Sendinblue) API key in your client bundle |
| critical | cloudflare_api_token |
Cloudflare API key in your client bundle |
| critical | cohere_token |
Cohere API key in your client bundle |
| critical | deepgram_key |
Deepgram API key in your client bundle |
| critical | elevenlabs_key |
ElevenLabs API key in your client bundle |
| critical | fal_ai_key |
fal.ai API key in your client bundle |
| critical | fly_io_token |
Fly.io API key in your client bundle |
| critical | github_token |
GitHub API key in your client bundle |
| critical | github_webhook_secret |
GitHub webhook signing secret in client code |
| critical | groq_key |
Groq API key in your client bundle |
| critical | hubspot_api_key |
HubSpot API key in your client bundle |
| critical | huggingface_token |
Hugging Face API key in your client bundle |
| critical | huggingface_token_old |
Hugging Face legacy API token in client code |
| critical | klaviyo_private_key |
Klaviyo API key in your client bundle |
| critical | linear_api_key |
Linear API key in your client bundle |
| critical | loops_key |
Loops API key in your client bundle |
| critical | mailgun_key |
Mailgun API key in your client bundle |
| critical | mapbox_secret_token |
Mapbox API key in your client bundle |
| critical | modal_token |
Modal API key in your client bundle |
| critical | mongodb_connection_string |
MongoDB connection string with credentials in client code |
| critical | netlify_token |
Netlify API key in your client bundle |
| critical | notion_integration_token |
Notion API key in your client bundle |
| critical | npm_token |
npm API key in your client bundle |
| critical | openai_key |
OpenAI API key in your client bundle |
| critical | openai_key_in_client |
OpenAI key in client (alias) |
| critical | perplexity_key |
Perplexity API key in your client bundle |
| critical | pinecone_key |
Pinecone API key in your client bundle |
| critical | plaid_secret |
Plaid API key in your client bundle |
| critical | postmark_token |
Postmark API key in your client bundle |
| critical | private_key_block |
Private key block embedded in client code |
| critical | pypi_token |
PyPI API key in your client bundle |
| critical | redis_connection_string |
Redis connection string with credentials in client code |
| critical | render_api_key |
Render API key in your client bundle |
| critical | replicate_token |
Replicate API key in your client bundle |
| critical | resend_key |
Resend API key in your client bundle |
| critical | sendgrid_key |
SendGrid API key in your client bundle |
| critical | sentry_auth_token |
Sentry API key in your client bundle |
| critical | slack_bot_token |
Slack API key in your client bundle |
| critical | slack_signing_secret |
Slack signing secret in client code |
| critical | stripe_secret_key |
Stripe live secret key (sk_live_) in your client bundle |
| critical | stripe_secret_key_in_client |
Stripe secret key in client (alias) |
| critical | stripe_webhook_secret |
Stripe webhook signing secret (whsec_) in client code |
| critical | together_ai_key |
Together AI API key in your client bundle |
| critical | twilio_auth_token |
Twilio Auth Token in client code |
| critical | vercel_token |
Vercel API key in your client bundle |
| high | asana_token |
Asana API key in your client bundle |
| high | datadog_api_key_labelled |
Datadog API key in your client bundle |
| high | datadog_app_key_labelled |
Datadog Application key in client code |
| high | webhook_secret_generic |
Generic webhook secret in client code |
| high | honeycomb_api_key |
Honeycomb API key in your client bundle |
| high | stripe_restricted_key |
Stripe restricted key (rk_live_) in your client bundle |
| high | twilio_account_sid |
Twilio Account SID in client code |
| medium | google_api_key |
Google API key (AIza) in client code |
| medium | bearer_token_inline |
Hardcoded Authorization Bearer token in client |
| medium | rollbar_token |
Rollbar API key in your client bundle |
| low | posthog_api_key |
PostHog public project key (phc_) in client code |
| low | sentry_dsn |
Sentry DSN in client code |
| info | openai_org_id |
OpenAI organization ID exposed |
| info | stripe_connect_account_id |
Stripe Connect Account ID exposed |
Run a scan
One URL. ~3 seconds.
Every rule above runs against any URL you give us. We never store source. We never persist URLs. The case file is the only record.