Documentation

Everything you need to secure your vibe-coded projects

Documentation

Security that fits how you already build.

BoringSec catches the security gaps that AI tools leave behind — hardcoded secrets, broken RLS, missing auth, unsafe patterns — and gives you copy-paste fixes for Cursor, Lovable, Bolt, and every other AI coding tool.

Why BoringSec?

Built specifically for AI-generated code (Cursor, Lovable, v0, Bolt)

18 scanners running 75+ checks in one scan

Fix prompts optimized per platform — just copy, paste, done

Supabase RLS live testing — actually queries your DB with anon key

Detects Clerk middleware gaps, Stripe webhook bypass, Firebase rules

Free tier — scan 3 sites/month, no credit card

REST API for CI/CD — fail builds on critical vulnerabilities

Claude Code MCP plugin — security checks as you code

Scan Your App Free View Plans

Quick Start — Scan via API

One curl command. Results in seconds. No SDK needed.

curl -X POST https://boringsec.com/api/v1/scan \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-app.com"}'

Get your API key at Settings → API Keys (Pro plan, $29/month)

Developer Guides

REST API Reference

15+ endpoints: scan URLs, scan code, scan GitHub repos, get fix suggestions, generate .cursorrules, check usage.

MCP

Claude Code MCP Plugin

Claude gets 6 security tools. It scans your code as you work and suggests fixes proactively.

What BoringSec Scans

Every scan runs all applicable modules. You get one score, one report, and fix prompts for every issue.

Secret Detection

AI tools often hardcode API keys directly in your source. We detect 11 provider-specific patterns: Supabase, Stripe, OpenAI, Anthropic, AWS, GitHub, Firebase, and more.

Finds the Stripe key your Cursor session left in the bundle.

Scan for secrets

Supabase & Firebase Security

We actually query your Supabase instance with the anon key to test if RLS is enforced. We also audit Firebase Security Rules and detect exposed service_role keys.

The only scanner that does live RLS testing, not just regex.

Test your RLS

Auth & Middleware Gaps

Clerk publicRoutes wildcard, missing Next.js middleware, JWT tokens in localStorage, OAuth email linking vulnerabilities — 8 auth-specific patterns.

Catches the "everything is public by default" mistake.

Check your auth

Injection, XSS & SSRF

SQL injection, command injection, template injection, DOM-based XSS, reflected XSS, SSRF via user-controlled URLs, mass assignment with Prisma.

Finds the attack vectors AI-generated code commonly introduces.

Stripe & Payment Security

Stripe webhook handlers without constructEvent() verification, hardcoded Stripe keys, missing CSRF protection on payment flows.

Prevents anyone from forging "payment successful" events.

Fix Prompts (42+ Templates)

Every issue comes with a copy-paste fix prompt optimized for your specific AI tool — Cursor, Lovable, Bolt, Claude Code, v0, Windsurf, or Replit.

Fix a critical vulnerability in 2 minutes, not 2 hours.

Browse templates

.cursorrules / AGENTS.md Generator

Generate stack-specific security rules that make every future AI coding session security-aware. Supports Next.js + Supabase, Firebase, Clerk, Stripe stacks.

Prevention > detection. Stop vulnerabilities before AI writes them.

Generate rules

75+ Checks at a Glance

Security Headers

7 checks

SSL/TLS

5 checks

DNS (SPF/DKIM/DMARC)

4 checks

Exposed Files

4 checks

3 checks

CORS

2 checks

XSS

2 checks

SQL Injection

3 checks

Supabase RLS

3 checks

Firebase Rules

2 checks

Hardcoded Secrets

11 patterns

Unsafe Code

15 patterns

Vulnerable Deps

20+ packages

GDPR

3 checks

Bundle Secrets

2 checks

WAF Detection

1 check

Ready to ship secure?

Start with a free scan. No account required. See exactly what AI left exposed.

Scan Now — Free API Docs

API Base URL

https://boringsec.com/api/v1

Authentication: Authorization: Bearer bsk_your_key. Rate limits: Pro 100/hr, Team 500/hr, Enterprise 2000/hr.