Deep Dive10 min readMay 4, 2026

From F to B: a real site recovery story

A step-by-step recovery story that shows how a team used VibeLeak to find, prioritize, and fix critical issues during an emergency launch window.

Incident

A staging domain was accidentally pointed to production

The team was preparing a launch. During DNS cutover, the staging subdomain — which had never been hardened — became the primary site. Within minutes, traffic started hitting an unprotected surface.

Time to discovery

4 min

A team member ran a VibeLeak scan out of habit before announcing the launch.

Initial grade

No HTTPS enforcement, no security headers, and an exposed .env file.

Final grade

After a focused two-hour fix session and a recheck scan.

Diagnosis

The first scan told the whole story in thirty seconds

The result page showed three critical findings, two highs, and a handful of mediums. The team immediately knew what to tackle first.

Critical: HTTP was not redirecting to HTTPS.
Critical: The .env file was publicly readable at the root.
High: No Content-Security-Policy was present.
High: X-Frame-Options was missing, leaving the site embeddable anywhere.
Medium: HSTS was not configured.

Key insight

The scan result was shared in Slack as a screenshot. Everyone saw the same grade and the same findings. That alignment saved fifteen minutes of debate about what to fix first.

Remediation

The fix phase took ninety minutes, not all day

Because the scan prioritized findings by severity, the team worked in order and did not waste time on polish before the foundation was solid.

0–15m

Force HTTPS

Added a server-level redirect rule. All HTTP traffic now routes to HTTPS before the application layer sees it.

15–30m

Delete and block .env

Removed the file from the server, added a deny rule, and rotated every secret referenced in it.

30–60m

Add security headers

Deployed CSP in report-only mode, added X-Frame-Options, and configured HSTS with a short max-age for testing.

60–90m

Verify and document

Re-ran the scan, confirmed the grade moved to B, then tightened CSP and bumped HSTS max-age to full duration.

Confirmation

The recheck scan proved the fix worked

The second scan returned Grade B. The critical blockers were gone, but a few medium hardening items remained, which is exactly how the stricter canonical caps should behave.

What changed

Grade F to Grade B in two hours. The difference was not expertise — it was having a prioritized list of exactly what to fix, in what order, with clear remediation text for each finding.

Takeaways

What the team changed after the incident

The recovery was fast, but the real value was in preventing recurrence. The team added three habits that now run before every launch.

Every staging domain now gets a VibeLeak scan before DNS cutover.
The CI pipeline blocks deployment if the scan returns Grade D or lower.
Score Watch is enabled on all production sites to catch drift after launch.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Security

Is VibeLeak safe to use? Report privacy, logs, and exports explained

A plain-English look at how VibeLeak scans public sites safely, what gets stored, who can see reports, and why full findings and Markdown exports stay owner-only.

Open article

Security

We Scanned the Moz Top 500. Even the Internet's Giants Are Missing the Basics.

VibeLeak ran its full trust surface scan against the Moz Top 500 most popular websites. This historical corpus still shows how common basic web security gaps are.

Open article

Workflow

How to read a VibeLeak scan result

A VibeLeak scan returns a grade, a list of findings, and a percentile rank. Here is how to read each piece so you know what to fix first.

Open article