Free browser security tool
Ship your AI-built app with fewer security blind spots
Free, local-only security checklist for Lovable, Bolt, Replit, v0, Next.js, Supabase and Firebase, mapped to BoringSec scanner evidence and manual controls.
Interactive launch plan
Your stack-specific security checklist
Choose the tools you use. We adjust the data-boundary step and show which real scanner modules can verify each public control.
Progress stays in this browser. We do not send your selections, checklist answers, secrets or private configuration to a server.
Loading local progress…
Browser bundles, source maps and public configuration are downloadable by every visitor.
Do this: Review the production build for private API keys, service-role credentials and signing secrets. Rotate any credential that was shipped.
A signed-in user still must not update another account, workspace, invoice or record.
Do this: List create, update and delete routes. Require server-side authentication, ownership or role checks, input validation and rate limits on each route.
Manual controlThis is a manual code and business-logic control. A public URL scan cannot certify object-level authorization.
Custom databases and APIs need explicit tenant, role and object ownership checks at the server boundary.
Do this: Test unauthenticated and cross-account requests against a safe test record. Confirm the server rejects both read and write attempts.
Manual controlBoringSec reports public evidence, but only an authorized integration or code review can verify private data rules.
Environment files, repository metadata, backups and debug endpoints are routinely requested by bots.
Do this: Confirm production blocks sensitive paths and does not publish source archives, database backups, logs or framework debug endpoints.
Generated CRUD routes still fail when untrusted input reaches queries, commands, redirects or raw HTML.
Do this: Apply a strict schema before business logic, use parameterized queries and avoid raw HTML unless it is sanitized with a reviewed policy.
A certificate alone does not prove safe protocol support, redirect behavior or renewal health.
Do this: Check the production hostname, HTTP-to-HTTPS redirect, certificate chain, expiry and modern TLS protocol support.
Headers reduce script injection, clickjacking, unsafe embedding and accidental server disclosure.
Do this: Deploy a tested Content Security Policy plus HSTS, framing, content-type and referrer controls that match the production app.
Authentication is weakened when session cookies are readable by scripts, sent cross-site or survive invalidation.
Do this: Use Secure, HttpOnly and an intentional SameSite mode. Rotate sessions after privilege changes and invalidate them on logout.
Reflecting arbitrary origins can expose credentialed APIs to attacker-controlled pages.
Do this: Allow only required production origins, reject null and unexpected origins, and never combine wildcard origins with credentials.
DNS mistakes can break trust, weaken sender protection and leave stale ownership records behind.
Do this: Review DNSSEC where supported, SPF, DKIM, DMARC, CAA and production host records. Remove stale verification tokens.
Old previews, dangling subdomains, unnecessary ports and inconsistent WAF coverage expand the attack surface.
Do this: Inventory production and preview hostnames, remove abandoned DNS, close unnecessary services and confirm protection on each live edge.
Compromised scripts, injected redirects, miners and risky runtime dependencies execute in your users’ browsers.
Do this: Remove unused third parties, pin or monitor critical dependencies and investigate unexpected script origins or obfuscated payloads.
BoringSec modulesTechnology & Live CVEs· Public scanClient-Side Threats· Public scanHow verification worksNuclei, OWASP ZAP and Medusa run independently in the background only for an authorized, verified owner.
Do this: Verify ownership, start the Security Audit and keep the report open or return later. Base results remain available while deep engines complete.
BoringSec modulesNuclei· Verified ownerOWASP ZAP· Verified ownerMedusa· Verified ownerHow verification worksA completed planning checklist is not certification. Only persisted scanner evidence can confirm a result.
Turn the plan into scanner evidence.
Checking every box records your plan only. It is not a certification, penetration test or verified result. Run the Security Audit to test the public controls and unlock eligible deep engines after ownership verification.
Use the right level of proof
A checklist creates a plan. A scan creates evidence.
Public modules can check observable controls without an account. Nuclei, OWASP ZAP and Medusa require a signed-in scan plus verified domain ownership. Manual business-logic controls remain manual because a black-box URL scan cannot truthfully certify them.
Calculate coverage uncertainty
See how missing weighted modules widen the only defensible score range.
Open calculatorRead the detailed checklist
Understand why each control matters and what a practical fix looks like.
Read the guideInspect the methodology
See authorization, evidence, limits and scoring semantics for every published module.
View methodology