# Security Access

> Source: https://www.aisyndicate.com/security-access/
> Provider: AI Syndicate · Last updated: 2026-07-16
> Markdown version for LLMs and AI agents. Canonical HTML: https://www.aisyndicate.com/security-access/

## What is Security Access?

**Security Access** is AI Syndicate's passive security-hygiene scan, built for the vibe-coding era. It reads only what every visitor's browser already sees — response headers, shipped JavaScript, cookies, and a fixed list of well-known files — and runs **34 checks across 12 categories** for the leaks AI-generated code ships by accident: API keys in client bundles, exposed .env and .git files, missing security headers, unprotected cookies, and more. Every finding comes with a fix-it snippet.

**It is not a penetration test.** There is no exploitation, no fuzzing, no injection, no brute force, and no authentication bypass — only plain, read-only requests to public pages, every fetch SSRF-guarded. The scan result itself carries a not-a-pen-test stamp, and when a site's risk profile calls for adversarial testing, Security Access recommends hiring a penetration testing firm.

## Why it matters

AI-generated code works on the first try — which is exactly the trap. Secrets that belong on a server get pasted where they "worked": into the JavaScript every visitor downloads. Missing headers, downloadable .env files, and open GraphQL IDEs don't break the site; they just leave the door unlocked until someone walks in. Most owners find out from the incident. All of it is findable by a read-only scan first.

## What it checks (34 checks, 12 categories)

1. **Leaked secrets & keys** — ~18 key patterns in shipped JavaScript (Stripe, OpenAI, Anthropic, AWS, GitHub, database connection strings), plus JWT decoding to catch a Supabase service-role key in the browser — the signature vibe-coded leak.
2. **Exposed files** — .env, .git, source maps, backup/config files.
3. **Security headers** — nine: HSTS, CSP (and whether it's actually strong), frame protection, nosniff, referrer policy, permissions policy, version leaks, CORS.
4. **Cookies & transport** — HTTPS enforcement; Secure, HttpOnly, SameSite flags.
5. **Email authentication** — SPF, DMARC, DKIM.
6. **Errors, debug & exposed surfaces** — error/debug leaks, open GraphQL IDEs, API docs, directory listings, user enumeration.
7. **Dependencies & disclosure** — end-of-life and known-vulnerable libraries, subresource integrity, security.txt — plus advisory-only signals (e.g. hand-rolled HTML sanitizers) that flag possible risk without affecting the score.

## The score

0–100, severity-weighted across applicable checks, with **honest caps**: any critical finding caps the score at 39, a high at 69, a medium at 89 — a site shipping its database key cannot hide behind passing checks. Grades run A (90+) to F. Reviewed-and-dismissed findings stop counting.

## The weekly watch

Every Monday, a passive homepage-level re-check runs against the site's baseline. The owner is emailed **only when something new and serious (critical or high) appears** — no weekly noise. The first scan sets the baseline.

## Fixes

Every finding ships with its fix: copy-paste header configurations per platform (Vercel, Netlify, nginx, Apache, Cloudflare), ready-to-add DNS records for SPF/DMARC, and rotate-this-key deep links to the right provider dashboard. Security Access guides the fix — it never modifies the site. A confidential, self-contained report can be handed straight to a developer.

## How it works

1. **Scan** — read-only requests to public pages; safe on production, no change window.
2. **Grade** — 34 checks, severity-weighted 0–100 + A–F, capped at 39 if anything critical is found.
3. **Fix** — per-platform snippets, DNS records, rotate links. Guidance only.
4. **Watch** — Mondays, baseline comparison, email only on new critical/high findings.

## FAQ

**Is Security Access a penetration test?** No — emphatically not, and the product says so on every scan. No exploitation, fuzzing, injection, brute force, or authentication bypass. For adversarial testing with authorization, hire a penetration testing firm.

**Is it safe to run on production?** Yes — it sends only ordinary GET requests to public pages, the same requests any visitor's browser makes, SSRF-guarded.

**What is a vibe-coded leak?** A secret that belongs on the server ending up in the browser — the class of mistake AI-generated code ships most often. Signature catch: a Supabase service-role key in client JS, confirmed by decoding the JWT's role claim.

**How does the score work?** Severity-weighted 0–100 with caps (critical → max 39, high → 69, medium → 89) and grades A–F.

**What is the weekly watch?** A passive re-check every Monday; email only when something new and serious appears versus baseline.

**How do I fix findings?** Per-platform header snippets (Vercel/Netlify/nginx/Apache/Cloudflare), SPF/DMARC DNS records, rotate-key deep links. The site is never modified.

**Which plans include it?** Every plan, from AI Pulse at $499/month — full scan, fixes, weekly watch, and the confidential developer-ready report.

## Glossary

- **Passive scan** — reads only public responses; no exploitation, fuzzing, injection, or brute force.
- **Service-role key** — a backend database credential that bypasses row-level security; in the browser, it hands any visitor the database.
- **CSP** — Content Security Policy; whitelists where scripts may load from.
- **HSTS** — forces browsers to use HTTPS for the domain.
- **Severity cap** — one critical caps the score at 39; high 69; medium 89.
- **security.txt** — a well-known file telling researchers how to responsibly disclose issues.

## Related

- [AI Access](https://www.aisyndicate.com/ai-access/)
- [SEO Access](https://www.aisyndicate.com/seo-access/)
- [Hallucination Watch](https://www.aisyndicate.com/hallucination-watch/)
- [All products](https://www.aisyndicate.com/products/)
- [Methodology](https://www.aisyndicate.com/methodology/)
