Sample report

This is what a Vibe Check looks like

Below is a real OpzyAI scan of a demo app we deliberately built to leak — so you can see exactly what you'll get before scanning your own. Every finding, score and fix here came straight out of the scanner.

Launch Readiness
41/ 100opzyai-demo-app.vercel.app

Serious holes are exposed right now. Fix the criticals before you share this app.

CriticalExposed Supabase service_role key in client code

Found Supabase service_role key (eyJhbG…0000) in page HTML. This key bypasses all Row-Level Security — anyone can read and write your entire database.

Fix: Use the anon (public) key in the browser; keep service_role on the server only. Then rotate keys in Supabase → Settings → API.

page HTML

MediumExposed Google API key in client code

Found Google API key (AIzaSy…0000) in page HTML. Google browser keys are only safe if restricted; an unrestricted key can be abused on your bill.

Fix: Restrict this key to your domain and specific APIs in the Google Cloud console.

page HTML

LowMissing security header: Content-Security-Policy

The response did not set the Content-Security-Policy header.

Fix: Set a Content-Security-Policy to mitigate XSS and data-injection (start in report-only, then enforce).

https://opzyai-demo-app.vercel.app/

LowMissing security header: X-Frame-Options

The response did not set the X-Frame-Options header.

Fix: Set `X-Frame-Options: SAMEORIGIN` (or CSP `frame-ancestors`) to prevent clickjacking.

https://opzyai-demo-app.vercel.app/

InfoMissing security header: X-Content-Type-Options

The response did not set the X-Content-Type-Options header.

Fix: Set `X-Content-Type-Options: nosniff` to stop MIME-type sniffing.

https://opzyai-demo-app.vercel.app/

InfoMissing security header: Referrer-Policy

The response did not set the Referrer-Policy header.

Fix: Set a `Referrer-Policy` (e.g. `strict-origin-when-cross-origin`).

https://opzyai-demo-app.vercel.app/

InfoMissing security header: Permissions-Policy

The response did not set the Permissions-Policy header.

Fix: Set a `Permissions-Policy` to restrict powerful browser features.

https://opzyai-demo-app.vercel.app/

Your app won't look like a demo — but most AI-built apps leak something. Find out what yours is exposing. Free, no account, ~15 seconds.