This is what a Vibe Check looks like
Below is a real OpzyAI scan of a demo app we deliberately built to leak — so you can see exactly what you'll get before scanning your own. Every finding, score and fix here came straight out of the scanner.
Serious holes are exposed right now. Fix the criticals before you share this app.
Found Supabase service_role key (eyJhbG…0000) in page HTML. This key bypasses all Row-Level Security — anyone can read and write your entire database.
Fix: Use the anon (public) key in the browser; keep service_role on the server only. Then rotate keys in Supabase → Settings → API.
page HTML
Found Google API key (AIzaSy…0000) in page HTML. Google browser keys are only safe if restricted; an unrestricted key can be abused on your bill.
Fix: Restrict this key to your domain and specific APIs in the Google Cloud console.
page HTML
The response did not set the Content-Security-Policy header.
Fix: Set a Content-Security-Policy to mitigate XSS and data-injection (start in report-only, then enforce).
https://opzyai-demo-app.vercel.app/
The response did not set the X-Frame-Options header.
Fix: Set `X-Frame-Options: SAMEORIGIN` (or CSP `frame-ancestors`) to prevent clickjacking.
https://opzyai-demo-app.vercel.app/
The response did not set the X-Content-Type-Options header.
Fix: Set `X-Content-Type-Options: nosniff` to stop MIME-type sniffing.
https://opzyai-demo-app.vercel.app/
The response did not set the Referrer-Policy header.
Fix: Set a `Referrer-Policy` (e.g. `strict-origin-when-cross-origin`).
https://opzyai-demo-app.vercel.app/
The response did not set the Permissions-Policy header.
Fix: Set a `Permissions-Policy` to restrict powerful browser features.
https://opzyai-demo-app.vercel.app/
Your app won't look like a demo — but most AI-built apps leak something. Find out what yours is exposing. Free, no account, ~15 seconds.