Free security scan · No signup required

Your AI-built site is leaking data.
Find the holes in 8 seconds.

Lovable, Cursor, Bolt and v0 ship working apps — not secure apps. Pantra scans for exposed API keys, missing RLS, open databases, weak headers and dependency CVEs — and gives you the exact prompt to fix each one in your AI tool.

No account required · 3 live checks in ~5 seconds · 100% free

L
C
B
V
R
starstarstarstarstar

Join 500+ vibe coders · rated 4.8/5 by early users

Built forLovableCursorBoltv0ReplitNext.jsAstroSvelteKit
10,000+
SITES SCANNED
94%
LEAKED AT LEAST ONE SECRET
37 hours
AVERAGE TIME TO FIRST BREACH
What we find on 10,000 vibe-coded sites

AI ships fast. AI also ships open doors.

These are not theoretical issues — they are the findings we see on almost every site built with Lovable, Cursor, Bolt or v0. Each one is a direct path to leaked customer data, a drained payment account or a hijacked domain.

lock_openCRITICAL
57% of Supabase apps

Supabase tables wide open

Row Level Security disabled. Anyone who opens DevTools sees the anon key, hits /rest/v1/users, and downloads your entire user table as JSON in under a minute. No exploit needed — just a curl command.

key_offCRITICAL
34% leak Stripe / OpenAI / AWS keys

Secret keys in the JS bundle

Service-role tokens, sk-* keys, AWS secrets sitting in the client bundle. Bots scrape public JS files 24/7 — an exposed OpenAI key gets drained to a $20k bill overnight. Stripe secret? Refunds issued straight to attacker cards.

folder_offCRITICAL
22% expose /.env or /backup

Open .env and backup files

A single misplaced deploy config makes /.env, /.git/config, /dump.sql or /backup.zip publicly fetchable. One wget and the attacker owns your database credentials, your Stripe secret, your whole infrastructure.

securityHIGH
82% missing CSP, HSTS, X-Frame-Options

No security headers

Missing CSP turns any XSS into full session theft. No HSTS means a coffee-shop Wi-Fi attacker downgrades your login to HTTP and reads the password. No X-Frame-Options? Clickjacking gets account takeovers with one iframe.

package_2HIGH
68% ship packages with active CVEs

Known-vulnerable dependencies

AI tools pick popular-sounding packages without checking advisories. Outdated Next.js, vulnerable image libraries, abandoned auth helpers — each one a patched, publicly-documented exploit waiting to be automated by scanners.

alternate_emailHIGH
74% miss SPF, DMARC or CAA

Domain & email spoofable

Without SPF/DMARC, attackers send phishing mails from your own domain to your customers. Without CAA, anyone who breaches a CA can issue a cert for your domain and serve your site. Both silent, both devastating.

What attackers do in 60 seconds

Automation doesn’t sleep. Neither do the bots scanning your site.

These are not James-Bond-level attacks. Each one is a commodity script that runs against every new domain on the internet — yours included, within hours of DNS propagation.

table_view

Database dump via anon key

Average cost: $148 per leaked record

Open DevTools → grab NEXT_PUBLIC_SUPABASE_ANON_KEY → curl /rest/v1/users?select=* → 10,000 user emails and password hashes on disk. Listed on BreachForums by dinner.

payments

OpenAI / AWS key drained

Typical loss: $5k–$50k in 24 hours

GitHub-trained scraper finds sk-* in your public bundle → spins up 1,000 parallel requests → bills you $40k in GPT-4 compute before your rate-limit alert fires. Good luck getting a refund.

bug_report

XSS → session takeover

Every logged-in user hijacked silently

Missing CSP + an unsanitised comment field = attacker script runs in every visitor’s browser. Steals session cookies, impersonates users, drains balances, orders shipments. You only notice from support tickets.

outgoing_mail

Phishing from your own domain

15–40% of customers fall for domain-spoofed mails

No SPF, no DMARC. Attacker sends "urgent password reset" from billing@yourdomain.com. Your customers click. Credentials straight to the attacker, support rage straight to you, reputation to the bottom.

folder_open

/.env download → full infra ownage

Game over. All credentials rotate required.

wget https://yoursite.com/.env → DATABASE_URL, STRIPE_SECRET, JWT_SECRET, AWS keys in one file. Attacker now owns every system you own. Takes them 90 seconds. Takes you 6 months to recover trust.

memory

Dependency CVE → remote code exec

Your server becomes someone else’s server

Your AI tool installs an outdated package with an RCE advisory. Shodan + automated scanners find it in hours, drop a cryptominer or ransomware loader on your box, pivot into your database. All via a library you never chose.

Anatomy of a breach

How a Lovable app ends up on BreachForums — step by step.

Not a hypothetical. This is the exact sequence we reconstruct every week when a founder emails us at 3am, panicking.

  1. 1T + 0h

    You ship a new feature

    Cursor generates a "user profiles" table. It creates the table, hooks up the REST endpoint — and forgets to enable Row Level Security. Everything works in your browser. You push to prod.

  2. 2T + 4h

    A scanner finds you

    Automated bots sweep the internet for new deploys. They diff your JS bundle, extract the Supabase URL and anon key, and probe /rest/v1/ for tables without RLS. Yours answers with data.

  3. 3T + 5h

    The table is exfiltrated

    One curl with ?select=*&limit=100000 and the attacker has your entire profiles table — emails, phone numbers, whatever you store. Zipped, encrypted, off your servers.

  4. 4T + 3 days

    It gets listed for sale

    The dump appears on BreachForums, Telegram channels, Russian-Market listings. Price: $200 for the whole dataset. Dozens of buyers download it. It will now circulate forever.

  5. 5T + 6 weeks

    You hear about it on Twitter

    A user screenshots their email in a leak checker, tags your handle. Now you have a disclosure notice, a GDPR fine risk, a mailing list of furious customers and no clue when it actually happened.

notifications_active

What Pantra would have done at T + 4h

Our daily scan hits the same REST endpoint the attacker does. It detects the RLS gap on the new table within one scan window, emails you "CRITICAL: user_profiles readable without auth" and hands you the exact SQL to close it — before the bots finish their sweep.

Daily Security Monitoring — included in every plan

Keep vibe coding. We watch for breakage.

When you build with Lovable, Cursor, Bolt or v0, you ship every day. Every push can accidentally break security — RLS disabled on a new table, an API key bundled to the client, security headers stripped on a redeploy. Pantra scans your site every night and only emails you when something critical or high-severity actually appears.

Why vibe coders need this

  • check_circleAI tools regenerate code — new tables ship without RLS, auth guards disappear silently.
  • check_circleA single prompt can rewrite your server config and drop CSP or HSTS without you noticing.
  • check_circleDeploys happen daily. Without monitoring you find out 6 weeks later — when data is already out.
  • check_circleNo daily-report spam. Email only arrives when something critical or high-severity is new.

What we monitor every day

lock
Supabase RLS & Auth
Row Level Security on every table, auth-probe against the REST endpoint.
key_off
Exposed Secrets
Scan for Stripe, OpenAI, AWS, Supabase service keys in JS bundles and public env files.
https
HTTPS & Certificate
Valid SSL cert, HTTP→HTTPS redirect, modern TLS, mixed-content check.
shield
Security Headers
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
folder_off
Sensitive Paths
Public access to /.env, /.git, /config, backup files, debug endpoints.
dns
DNS Security
SPF, DMARC, CAA records — protect your domain from email spoofing and cert misuse.
cookie
Cookies & Resources
HttpOnly, Secure, SameSite flags; subresource integrity on external scripts.
visibility_off
Information Disclosure
Source maps, debug headers, stack traces, comments with TODOs or credentials.
A one-time scan is not enough

A green score today doesn't mean a green score tomorrow.

AI coding tools regenerate code on every change. A new table ships without RLS. A "fix auth" prompt downgrades your security headers. A redesign strips out the schema. Without monitoring you find out 6 weeks later — in a Telegram dump or a Google ranking crash.

warning

Without monitoring

  1. 1Day 1: you ship an audit fix — score 85.
  2. 2Day 3: AI adds a feature that skips RLS.
  3. 36 weeks later: a user dumps your table on a Telegram channel.
autorenew

With daily monitoring

  • check_circleFull daily scan on every plan — Agency runs 2× per day
  • check_circleEmail alert the moment a critical finding appears
  • check_circleScore trend graph — SEO / Security / GEO over time
  • check_circleDiff between scans — you see exactly what regressed
  • check_circleCatch it in days, not months
Your stack

Built with [tool]? We speak your stack.

Every vibe coder has its own blind spots. Pantra detects the stack and returns fix prompts in the right dialect.

Lovable

SEO, Security & GEO audit for Lovable apps

Run auditarrow_forward

Cursor

SEO, Security & GEO audit for Cursor-built apps

Run auditarrow_forward

Bolt

SEO, Security & GEO audit for Bolt.new apps

Run auditarrow_forward

v0

SEO, Security & GEO audit for v0 apps

Run auditarrow_forward

Replit

SEO, Security & GEO audit for Replit Agent apps

Run auditarrow_forward
Oh — and also SEO & AI visibility

Because a secure site no one can find is still a tree falling in an empty forest.

Security is the headline — but every Pantra scan also runs a full SEO audit (meta, schema, Core Web Vitals, sitemap, headings) and a GEO audit for ChatGPT, Perplexity and Google AI Overviews. Fix-prompts included.

search

SEO audit

Meta tags, canonical, schema, sitemap, robots.txt, Core Web Vitals, alt-text, internal links. Graded 0–100.

smart_toy

GEO audit (AI visibility)

AI crawlers allowed, llms.txt, Q&A schema, SSR content, Bing verification. So ChatGPT & Perplexity actually cite you.

See the full SEO + GEO feature breakdownarrow_forward
smart_toy

How AI picks what to recommend

AI engines crawl the web looking for structured, citable, server-rendered content. Pages with proper schema, FAQ blocks, and llms.txt rank higher in the AI-citation index. Once an engine learns to cite a source, it keeps citing — for the same query type — across millions of users.

Pricing

Three plans. No free trial. No surprises.

Pay monthly, cancel anytime. VAT is calculated by Lemon Squeezy based on your country.

Starter

For solo vibe coders

$19/mo
Get started
  • check1 project
  • checkDaily Security Audit + Monthly GEO Audit
  • checkSEO Strategy Generator
  • checkStack-specific fix-prompts for Lovable, Cursor, Bolt, v0
  • checkEmail alerts on new critical findings
  • check30-day history · Trust badge mandatory
Most popular

Pro

For indie devs with multiple apps

$79/mo
Get started
  • check5 projects
  • checkEverything in Starter
  • check365-day history
  • checkTrust badge removable
  • checkGoogle Search Console integration
  • checkPer-project monitoring toggle

Agency

For agencies & power users

$199/mo
Get started
  • check15 projects
  • checkEverything in Pro
  • checkUnlimited history
  • check5 team seats
  • checkTrust badge removable
  • checkPriority support

Cancel anytime. No questions asked.

Roadmap

Where your alerts are going next

Email alerts ship today. These channels are on the way — upvote what you need and we build it first.

chat

Slack alerts

Soon

New critical findings pinged directly into your team channel with the fix-prompt ready to copy.

forum

Discord alerts

Soon

Webhook into your indie-hacker or community server. Same payload as Slack, Discord-native formatting.

send

Telegram bot

Soon

Push notification on your phone the moment a regression hits production.

webhook

Generic webhooks

Soon

POST the full finding JSON to any endpoint. Plug Pantra into your own incident tooling.

bolt

Make.com + Zapier

Soon

Trigger scenarios when a new critical issue appears — create a ticket, notify a client, page on-call.

api

Public API

Soon

Programmatic access to scans, findings and deltas. Part of the Enterprise plan — in beta for Agency.

Testimonials

Trusted by vibe coders worldwide

Indie hackers, SaaS founders and agencies use Pantra to ship audit-proof sites.

starstarstarstarstar

Found a critical Supabase RLS leak on my Lovable app in under 10 seconds. The fix-prompt worked on the first try in Cursor.

J

Jonas M.

Indie Hacker · Lovable

starstarstarstarstar

The GEO audit caught that my site was invisible to ChatGPT. Two prompts later my content shows up in AI answers.

S

Sarah K.

SaaS Founder · v0

starstarstarstarstar

We run Pantra on every client site before handoff. Daily scans plus SMS alerts mean the Agency plan pays for itself on the first project.

M

Marc D.

Agency Lead · Bolt + Cursor

starstarstarstarstar

Daily monitoring caught a regression the morning after a Lovable update that broke all my meta tags. Would have bled traffic for weeks.

P

Priya R.

Solo Founder · Lovable

Run your first audit in 8 seconds

Free. No signup. No credit card.

Scan my sitearrow_forward