The latest articles on DEV Community by Habeeb Salami (@habeebsl). https://dev.to/habeebsl https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3960071%2F25942482-8d81-4a7e-bce7-0ebb360ae4d2.jpg https://dev.to/habeebsl en Habeeb Salami Sat, 30 May 2026 14:34:16 +0000 https://dev.to/habeebsl/i-scanned-my-side-projects-for-vulnerabilities-it-was-humbling-53bb https://dev.to/habeebsl/i-scanned-my-side-projects-for-vulnerabilities-it-was-humbling-53bb <p>I ship small apps fast. Some of them I build mostly with AI tools. And every time I deployed one, the same thought nagged at me: I have no idea if this is secure. I'm not a security person. I don't know what I don't know.</p> <p>The existing options didn't fit. Most scanners want to live in your CI pipeline, need access to your repo, or spit out a 40-page report full of jargon that I was never going to read, let alone act on.</p> <p>So I built DeploySafe (<a href="https://deploysafe.io" rel="noopener noreferrer">https://deploysafe.io</a>). The idea is simple: you paste your live app's URL, and it probes the running app the way someone poking at it would.</p> <p>Here is what it checks for right now:</p> <ul> <li>Leaked environment variables and API keys sitting in your JS bundles</li> <li>Broken or missing access control on routes that should be protected</li> <li>Open redirects</li> <li>Missing CSRF protection</li> <li>Cookies without secure flags</li> <li>Vulnerable dependency versions</li> <li>Exposed .git and .env files</li> <li>Dangerous HTTP methods left enabled</li> <li>Missing security headers</li> </ul> <p>The part I cared about most: it does not just tell you what is wrong. Every finding comes with three things. A plain-English explanation of how the issue would actually get exploited. A rough estimate of what it would cost you if it did. And a copy-paste prompt written to drop straight into your AI coding tool, so you can fix it in a few minutes instead of researching it for an hour.</p> <p>A few technical notes for anyone curious how it works:</p> <ul> <li>It drives a real headless browser (Playwright), so it understands single-page app routes and behaves like a real session instead of just curling endpoints.</li> <li>There is a triage layer that filters raw probe output down to real findings. Cutting false positives has honestly been most of the work. A scanner that cries wolf is worse than no scanner.</li> <li>You can only scan targets you confirm you own or are authorized to test.</li> </ul> <p>It is free to scan, with a small credit grant when you sign up. The deeper parts (full fix prompts, scanning behind a login) are paid through credit packs. It is a solo project, so I am being upfront about that.</p> <p>If you scan something and it flags nonsense, I genuinely want to hear about it. And if there is a check you wish it ran, tell me. GraphQL introspection and subdomain takeover detection are already next on my list.</p> <p>You can try it at <a href="https://deploysafe.io" rel="noopener noreferrer">deploysafe.io</a>. Would love your feedback.</p> security webdev devops showdev