VibeLeak>_Scan
    Back to scanner

    Sample report

    Fictional target

    checkout.rivergate-labs.test

    Critical sample report

    This made-up report shows how VibeLeak presents a Grade D scan: one critical exposed-key finding, one high browser-policy gap, and two lower-priority cleanup items.

    D

    35/100

    Trust score

    Critical

    1

    High

    1

    Low

    1

    Info

    1

    Severity queue

    Fix order

    The critical key exposure ships first. The high browser-policy item follows after key rotation is complete.

    01 / AIGuardcritical

    Production API key exposed in browser source

    window.__RIVERGATE_CONFIG__.paymentsApiKey = "rg_live_sk_74c9...";

    Risk

    Anyone who views source can copy the key and attempt unauthorized API calls against production services.

    Fix

    Revoke the exposed key, issue a server-only replacement, move all payment and AI calls behind authenticated server routes, and re-scan after deploy.

    02 / TrustScanhigh

    Browser security policy is missing

    Content-Security-Policy and Strict-Transport-Security were not present on the live response.

    Risk

    The site has weaker protection against script injection, clickjacking chains, and downgrade paths.

    Fix

    Ship a baseline CSP, add HSTS after HTTPS verification, and confirm both headers appear on the public response.

    03 / ThreatSurfacelow

    No security.txt disclosure route

    /.well-known/security.txt returned 404.

    Risk

    Researchers and customers have no obvious security contact path when they find a problem.

    Fix

    Publish a security.txt file with contact, policy, and expiry fields.

    04 / TechScaninfo

    Framework fingerprint visible

    Server and framework hints are visible in response headers.

    Risk

    This is not a blocker by itself, but it gives attackers extra profiling context.

    Fix

    Reduce unnecessary version and framework headers where the hosting stack allows it.