Amabrik scans your live site for the mistakes that leak data: a secret key shipped in your code, a database anyone can read, an open .env file, missing security headers. Each finding comes with a plain-English impact and a copy-paste AI fix prompt that will not break your site. No security degree, no sales call.
// checkout.js import Stripe from 'stripe'; const apiKey = "sk_live_51Hak2pQ9rXm4Lz8B"; const stripe = Stripe(apiKey); export async function pay(amount) { return stripe.charges.create({ amount }); } Secret key exposed in client code
Readable by anyone with view source
34 of 36 security checks clear
Shipping a site in an afternoon is the new normal, and it is leaking real keys and opening real databases at a rate that is now measured, not guessed. Here is what the public research found.
of code samples introduced an OWASP Top 10 vulnerability when Veracode tested over 100 AI models. Veracode, 2025
A scan finds each one and hands you the AI fix.
Leaked secrets do not expire on their own. GitGuardian found 64% of valid secrets exposed in 2022 were still active in January 2026. Figures from each cited public report.
Add your site, run the scan, paste the AI fixes. No agent to install, no code to read, no security team needed.
Verify your domain once with a DNS record. The scanner works on any site: WordPress, Shopify, Webflow, a custom build, or anything shipped with Lovable, Bolt, Cursor or v0.
TXT _amabrik="verify-7Q2c8Fb1aXk"Amabrik checks your live site for leaked keys, open databases, exposed files, missing headers, TLS and cookie problems, and outdated libraries. Scan on demand or on a schedule after every deploy.
Every finding comes with a plain-English impact and a copy-paste AI fix prompt. Paste it into Claude, ChatGPT or Cursor and the fix is written for you. We never flag a value that is meant to be public, and we report first so a fix never breaks a working site.
It does the work a pentest report skips: it explains each finding in plain English and hands you a copy-paste AI fix prompt, without crying wolf.
It catches a secret key shipped in your front-end code (a Stripe secret key, an AWS key, a service-role database key), the kind anyone can read with view source. A publishable key that is meant to be public is never flagged, because hiding it was never the point.
Every finding comes with a plain-English impact and a ready-to-paste AI prompt. Drop it into Claude, ChatGPT or Cursor and the fix is written for you, for the person who built the site, not a security engineer. No CVSS jargon wall, no 40-page PDF you can't act on.
Findings are shown in report-only form first, and fixes are phrased to leave working forms, payments and integrations untouched. A security fix that breaks checkout is not a fix.
A fake critical destroys trust, so we use high-confidence patterns only. A public-by-design value is never called a leak, and an exposed file is checked to be real before it's flagged.
It checks whether your Supabase or Firebase backend has access rules turned on. An open backend lets the public key pull every row: users, orders, messages. This is the exact pattern behind the 2025 vibe-coded app breaches.
It checks for a Content-Security-Policy, HSTS, X-Frame-Options and X-Content-Type-Options, flags plain HTTP or a broken certificate, and catches session cookies missing Secure, HttpOnly or SameSite.
Run a scan on demand and set it to re-scan after every deploy. AI-shipped changes leak most, so the scan fits the cadence you actually ship at, not once a year.
Security Scan is one widget in the same Amabrik plan as your cookie banner, forms and the rest. One bill, no separate enterprise contract, no per-asset quote.
Each item below is something a visitor or a bot can actually do on a misconfigured site. Every claim links to its source.
A real admin or payment key (a Stripe secret key, an AWS key, a service-role database key, an SMTP password) shipped in your JavaScript, where anyone can read it with view source. This is the dangerous kind, not the publishable kind.
Your Supabase or Firebase backend has no access rules, so the public key that is supposed to be public can pull every row: users, orders, messages. This is the pattern that hit thousands of AI-built apps in 2025.
Visiting yoursite.com/.env returns your environment file full of keys. Bots scan for this across hundreds of millions of targets, then use the keys to break into cloud accounts.
A public .git folder, source maps or backup files hand an attacker your full original code and any secrets inside it.
No Content-Security-Policy, HSTS, X-Frame-Options or X-Content-Type-Options, the browser-level defenses against script injection, clickjacking and protocol downgrade.
A site reachable over plain HTTP, an expired or misconfigured certificate, mixed content, or session cookies missing Secure, HttpOnly or SameSite, so they can be stolen or sent unencrypted.
The site tells the browser any website may call its API, or leaves a staging panel, debug route or admin surface reachable from the open internet.
An old jQuery, Bootstrap or framework version with a published, exploitable bug. We flag the version and the fix, not a vague warning.
| Feature | Best valueAmabrik | Acunetix | Sucuri SiteCheck | Intruder | Pentest-Tools |
|---|---|---|---|---|---|
| Built for non-experts | Yes | No | No | No | No |
| Copy-paste AI fix prompt per issue | Yes | No | No | No | No |
| Free scan, no sales call | Yes | No | Yes | Trial only | No |
| No enterprise or per-asset quote | Yes | No | Yes | No | No |
| Part of one widget suite | Yes | No | No | No | No |
| Rough cost to a site owner | In your plan | From ~$7,000/yr | Free scan only | ~$99 to $260/mo | ~$140/mo+ |
Prices from each vendor's public pages and marketplace listings, June 2026. Quote-only vendors do not publish a price; figures shown are public marketplace minimums. Amabrik precision and non-breaking fixes are product commitments, not third-party benchmarks.
You pick by the number of sites you run. Every plan includes every widget, with no feature gating and no pageview caps.
Two months free on every annual plan.
Billed monthlyBilled annually, $278/yr
1 site, unlimited views
Start free trial Book a demoBilled monthlyBilled annually, $566/yr
10 sites, unlimited views
Start free trial Book a demoBilled monthlyBilled annually, $1526/yr
50 sites, unlimited views
Start free trial Book a demoIt checks your live site for the things that leak data or let an attacker in: secret keys shipped in your code, a database with no access rules, files like .env that should not be public, missing security headers, TLS and cookie problems, over-permissive CORS, and outdated libraries with known bugs. Amabrik reports each finding with a plain-English impact and a copy-paste AI fix prompt you paste into Claude, ChatGPT or Cursor.
Not automatically. Veracode tested over 100 AI models and found 45% of code samples introduced an OWASP Top 10 vulnerability, and security researchers found thousands of AI-built apps shipping with open databases. If you shipped with Lovable, Bolt, Cursor, v0 or Replit, scan before you launch. The scanner catches the exact mistakes those tools tend to leave.
It depends on the key. A publishable or anon key is designed to be public, and its security comes from access rules on the backend, not from hiding it, so Amabrik never flags it. A secret or service-role key (Stripe secret key, AWS key, database service-role key) must never reach the browser. If one is in your page, anyone can read it, and that is what the scanner flags as critical.
Yes. Most findings have nothing to do with a login: an exposed .env file, missing security headers, a broken certificate, insecure cookies, a public .git folder or an outdated library all apply to a plain marketing site. Bots scan for these automatically across hundreds of millions of domains, so a small site is still a target.
At least monthly, and after every deploy or new integration. AI-assisted changes leak secrets at more than double the baseline rate, and the riskiest moment is right after you ship a change. Amabrik lets you scan on demand and set an automatic re-scan, so a new leak is caught early instead of months later.
No. Findings are shown in report-only form first, and every fix is phrased to leave working forms, payments and integrations untouched. We never flag a value that is meant to be public, so you don't waste time removing something your site needs. A fix that breaks checkout is not a fix.
A scan is automated and runs as often as you like, flagging known weaknesses across your site. A penetration test is a human expert going deep on exploitability, usually once a year and at high cost. Pro scanners are built for security teams and assume you can read the output. Amabrik gives you the scan plus a plain-English impact and a copy-paste AI fix prompt, at the cadence you actually ship at.
No. You verify your domain once with a DNS record, then scan from the dashboard. There is no agent to install and no code to read. Each finding is written for the person who built the site, with a copy-paste AI fix prompt you paste into Claude, ChatGPT or Cursor.