I ship small apps fast. Some of them I build mostly with AI tools. And every time I deployed one, the same thought nagged at me: I have no idea if this is secure. I'm not a security person. I don't know what I don't know.
The existing options didn't fit. Most scanners want to live in your CI pipeline, need access to your repo, or spit out a 40-page report full of jargon that I was never going to read, let alone act on.
So I built DeploySafe (https://deploysafe.io). The idea is simple: you paste your live app's URL, and it probes the running app the way someone poking at it would.
Here is what it checks for right now:
- Leaked environment variables and API keys sitting in your JS bundles
- Broken or missing access control on routes that should be protected
- Open redirects
- Missing CSRF protection
- Cookies without secure flags
- Vulnerable dependency versions
- Exposed .git and .env files
- Dangerous HTTP methods left enabled
- Missing security headers
The part I cared about most: it does not just tell you what is wrong. Every finding comes with three things. A plain-English explanation of how the issue would actually get exploited. A rough estimate of what it would cost you if it did. And a copy-paste prompt written to drop straight into your AI coding tool, so you can fix it in a few minutes instead of researching it for an hour.
A few technical notes for anyone curious how it works:
- It drives a real headless browser (Playwright), so it understands single-page app routes and behaves like a real session instead of just curling endpoints.
- There is a triage layer that filters raw probe output down to real findings. Cutting false positives has honestly been most of the work. A scanner that cries wolf is worse than no scanner.
- You can only scan targets you confirm you own or are authorized to test.
It is free to scan, with a small credit grant when you sign up. The deeper parts (full fix prompts, scanning behind a login) are paid through credit packs. It is a solo project, so I am being upfront about that.
If you scan something and it flags nonsense, I genuinely want to hear about it. And if there is a check you wish it ran, tell me. GraphQL introspection and subdomain takeover detection are already next on my list.
You can try it at deploysafe.io. Would love your feedback.
Top comments (0)