Vibe-coded in a weekend. Leaking ever since?
AI wrote your site fast — and AI-generated code loves to ship secrets to the browser. Security Access reads only what every visitor already sees — your headers, your shipped JavaScript, your public files — and runs 34 checks for the leaks that turn into incidents. No attacks. Ever. This is not a pen test, and it says so.
The security twin of the scores that cover Google and every major AI platform
Security Access is the passive hygiene scan for the vibe-coding era — it reads only what every visitor's browser already sees and finds the keys, files, and missing protections AI-generated code ships by accident. Not a pen test. No attacks, ever. That's the point.
AI code works on the first try. That's exactly the trap.
Vibe-coded sites ship fast because nobody stops to ask where the keys went. The answer, disturbingly often: into the JavaScript every visitor downloads.
Secrets end up in the browser
Database keys, Stripe keys, OpenAI keys, connection strings — pasted where they "worked" instead of where they belong. Anyone who opens DevTools has them.
The quiet misconfigurations
No CSP, no HSTS, cookies without HttpOnly, a downloadable .env, an open GraphQL IDE. None of it breaks the site — it just leaves the door unlocked, invisibly.
You find out from the incident
A scraped key gets used, a database gets dumped, and the postmortem finds a leak that had been sitting in public JavaScript for months — findable by a read-only scan.
34 checks. 12 categories. Zero payloads.
Everything below is read from public responses — the same headers, scripts, cookies, and well-known files any browser already receives. Nothing is exploited, submitted, or brute-forced.
Leaked secrets & keys
~18 key patterns in your shipped JavaScript — Stripe, OpenAI, Anthropic, AWS, GitHub, connection strings — plus JWT decoding to catch a service-role key in the browser.
Exposed files
.env, .git, source maps, backup and config files — the well-known paths that should 404 and, on vibe-coded sites, disturbingly often don't.
Security headers
Nine of them — HSTS, CSP (and whether it's actually strong), frame protection, nosniff, referrer policy, permissions policy, version leaks, CORS.
Cookies & transport
HTTPS enforcement and the cookie flags — Secure, HttpOnly, SameSite — that decide whether a session can be stolen from the side.
Email auth & surfaces
SPF, DMARC, and DKIM (can a stranger send mail as you?), plus exposed surfaces — open GraphQL IDEs, API docs, directory listings, user enumeration.
Dependencies & disclosure
End-of-life and known-vulnerable libraries, subresource integrity, error and debug leaks, security.txt — plus advisory-only signals (like hand-rolled HTML sanitizers) that flag possible risk without polluting your score.
Not a pen test — and honest enough to say so.
Tools that fire payloads at your production site need permission slips, change windows, and luck. Security Access needs none of that, because it only reads what your site already hands to every visitor. The scan itself carries a not-a-pen-test stamp — and when you do need adversarial testing, it tells you to hire one.
What "security scanners" usually do
- Fire attack payloads at your production site and hope nothing breaks.
- Need authorization paperwork and a change window before you dare run them.
- Trip your WAF, pollute your logs, and page your on-call.
- Still miss the key sitting in plain sight in your public JavaScript.
What Security Access does
- Reads, never attacks. Plain GET requests to public pages — headers, shipped JS, cookies, well-known files. Every fetch SSRF-guarded.
- Decodes what's already public. A JWT in your bundle gets its role claim checked — no exploitation required to prove the leak is real.
- Scores with severity caps. One critical finding caps you at 39 — no flattering number over a leaking database key.
- Knows its limits. Every scan is stamped "not a penetration test" — and recommends one when your risk profile actually calls for it.
Read-only requests. Real verdicts.
This is the sweep running — the same requests any browser makes, checked against 34 rules — and the grade landing where the evidence puts it.
What one sweep hands you.
- Proof, not payloads. Every finding above came from reading public responses — the .env that answers 200, the JWT whose role claim says service_role.
- A grade that can't flatter you. Two criticals mean 39/F, no matter how many checks pass — severity caps keep the score honest.
- The fix, per platform. Copy-paste header configs for Vercel, Netlify, nginx, Apache, or Cloudflare; DNS records for email auth; rotate-links for every leaked key.
- A guard that stays on. Every Monday the watch re-checks your baseline — you hear about it only when something new and serious appears. On every plan, from $499/mo.
Hoping vs. hygiene vs. hiring hackers.
| What you get | Hoping for the best | Security Access | Penetration test |
|---|---|---|---|
| Approach | — | Passive, read-only — safe on prod today | Authorized humans actively attacking |
| Finds shipped keys & exposed files | — | Yes — 18 key patterns + JWT role decoding | Yes, among much more |
| Cadence | — | On-demand + weekly watch every Monday | One engagement, then it ages |
| Score honesty | — | Severity-capped: one critical → max 39 | Narrative report |
| What it admits | — | Stamped "not a pen test" — recommends one when you need it | Scoped by contract |
| Cost | Your incident | Included on every plan, from $499/mo all-in | Typically $10k+ per engagement |
Scan. Grade. Fix. Watch.
Scan
Read-only requests to your public pages — headers, shipped JavaScript, cookies, well-known files. No attacks, no change window, safe on production.
Grade
34 checks, severity-weighted into a 0–100 score and an A–F grade — honestly capped at 39 if anything critical is found.
Fix
Copy-paste header configs for your exact platform, DNS records for email auth, rotate-links for leaked keys — guidance only, your site is never modified.
Watch
Every Monday, a passive re-check runs against your baseline. You're emailed only if something new and serious appears — no weekly noise.
The vocabulary of the leak.
The terms your Security Access report uses — defined plainly.
- Passive scan
- A security check that only reads public responses — the same headers, scripts, and files any visitor's browser downloads. No exploitation, fuzzing, injection, or brute force.
- Service-role key
- A backend database credential that bypasses row-level security. Shipped to the browser, it hands any visitor your entire database — the signature vibe-coded leak.
- Content Security Policy CSP
- A response header that whitelists where scripts and resources may load from — the main line of defense against injected-script attacks.
- HSTS
- HTTP Strict Transport Security — a header that forces browsers to use HTTPS for your domain, closing the window where a first request travels unencrypted.
- Severity cap
- An honesty rule in the score: one critical finding caps it at 39, a high at 69, a medium at 89 — a site with a leaked database key can't hide behind passing checks.
- security.txt
- A well-known file telling security researchers how to responsibly disclose an issue to you — a small signal that your site takes reports seriously.
Questions about Security Access.
What is Security Access?
Security Access is AI Syndicate's passive security-hygiene scan, built for the vibe-coding era. It reads only what every visitor's browser already sees — response headers, shipped JavaScript, cookies, and a fixed list of well-known files — and runs 34 checks for the leaks AI-generated code loves to ship: API keys in client bundles, exposed .env and .git files, missing security headers, unprotected cookies, and more. Every finding comes with a fix-it snippet.
Is Security Access a penetration test?
No — emphatically not, and the product says so on every scan. There is no exploitation, no fuzzing, no injection, no brute force, and no authentication bypass: only plain, read-only requests to public pages. If you need adversarial testing with authorization, hire a penetration testing firm — Security Access will tell you the same thing.
What does Security Access check?
34 checks across 12 categories: leaked secrets in shipped JavaScript (~18 key patterns), exposed files (.env, .git, source maps, backups), 9 security headers (HSTS, CSP, and more), cookie flags, transport security, email authentication (SPF, DMARC, DKIM), error and debug leaks, vulnerable and end-of-life libraries, subresource integrity, exposed surfaces like GraphQL IDEs and directory listings, and a responsible-disclosure check for security.txt.
What is a vibe-coded leak?
The class of mistake AI-generated code ships most often: a secret that belongs on the server ending up in the browser. The signature catch is a Supabase service-role key in client JavaScript — Security Access decodes JWTs it finds in your shipped code and checks the role claim, because that one key hands an attacker your entire database. It also catches Stripe, OpenAI, Anthropic, AWS, and GitHub keys, database connection strings, and leftover localhost endpoints.
Is it safe to run on my production site?
Yes — that's the point of being passive. The scan sends only ordinary GET requests to public pages, the same requests any visitor's browser makes, with every fetch SSRF-guarded. Nothing is exploited, submitted, injected, or brute-forced. You can run it on your live production site today without a change window or an authorization letter.
How does the score work?
0–100, severity-weighted across the checks that apply to your site, with honest caps: any critical finding caps the score at 39, a high at 69, a medium at 89 — because a site shipping its database key is not an 85. Grades run A (90+) to F. Findings you review and dismiss stop counting against you.
What is the weekly watch?
Every Monday, Security Access re-runs a passive homepage-level check and compares it to your baseline. You get an email only when something NEW and serious (critical or high) appears — no weekly noise, no unchanged-status spam. The first scan just sets the baseline.
How do I fix what it finds?
Every finding ships with a fix: copy-paste header configurations for your exact platform (Vercel, Netlify, nginx, Apache, Cloudflare), ready-to-add DNS records for SPF and DMARC, and rotate-this-key deep links to the right provider dashboard for any leaked secret. Security Access guides the fix — it never modifies your site.
Which plans include Security Access?
Every plan, from AI Pulse at $499/month up. That includes the full 34-check scan, fix-it snippets, the weekly watch, and a confidential, self-contained report you can hand straight to your developer.
The leak is already public. The only question is who reads it first.
A read-only scan any visitor could run — better it's yours. Start with a free audit; Security Access is included on every plan.