Detection rules
Every check we run.
Each rule comes from a real breach, a real CVE, or a documented pattern in Escape's 5,600-app vulnerability study. Severity is what shows up in your scan report.
- 01CRITICAL
Stripe live secret key in client bundle
sk_live_... key found in your JavaScript. Anyone visiting your site can extract it and charge or refund arbitrary amounts.
rule: exposed-stripe-secret-key
- 02CRITICAL
Anthropic Claude API key in client bundle
sk-ant-... key shipped to the browser. Anyone can extract it and run unlimited Claude requests on your account.
rule: exposed-anthropic-key
- 03CRITICAL
OpenAI API key in client bundle
sk-... or sk-proj-... key in your JS. Strangers can extract it and burn through your OpenAI quota.
rule: exposed-openai-key
- 04CRITICAL
AWS access key in client bundle
AKIA / ASIA access key found in your JS. Combined with a secret, gives an attacker direct access to your AWS resources.
rule: exposed-aws-access-key
- 05CRITICAL
GitHub token in client bundle
ghp_/gho_/ghu_/ghs_/ghr_ token in your JS. An attacker can read or write your repositories with this token.
rule: exposed-github-token
- 06CRITICAL
Supabase SERVICE_ROLE key in client bundle
The key that bypasses Row Level Security entirely. With this, an attacker has full read/write access to your database.
rule: exposed-supabase-service-role-key
- 07CRITICAL
JWT signing secret hardcoded in JS
JWT_SECRET literal in your bundle. An attacker can mint valid tokens for any user, bypassing authentication.
rule: jwt-secret-leaked
- 08CRITICAL
Database connection string with credentials in JS
postgres://, mongodb://, or mysql:// URI with username + password in your bundle. Direct database access.
rule: database-connection-string
- 09CRITICAL
Supabase tables readable without authentication
We probe common tables (users, profiles, accounts, orders, etc.) via the anon key REST API. If we get rows back, RLS is missing or permissive.
rule: supabase-rls-misconfigured
- 10HIGH
CORS allows credentials from any origin
Access-Control-Allow-Origin: * combined with credentials enabled. An insecure misconfiguration that browsers reject — but flagged so it gets fixed.
rule: permissive-cors
- 11HIGH
Google API key in client bundle
AIza... key found. If unrestricted, can be abused for billing fraud (Maps, Translate, etc.). Restrict to your domain in Google Cloud Console.
rule: exposed-google-api-key
- 12HIGH
SMTP credentials in client bundle
SMTP_PASSWORD or EMAIL_PASS literal in your JS. An attacker can send email as you and bypass spam filters via your domain reputation.
rule: smtp-credentials
- 13HIGH
Hardcoded user IDs in route patterns (BOLA)
Routes like /users/<id>/... where the id comes from a non-auth source. The Broken Object Level Authorization pattern that exposed 18K student records.
rule: bola-pattern-user-id-in-route
- 14MEDIUM
Missing Content-Security-Policy header
Removes a major XSS defense layer. Not a vulnerability on its own, but a missing seatbelt.
rule: missing-csp-header
- 15MEDIUM
Missing Strict-Transport-Security header
On HTTPS without HSTS, users can be downgraded to HTTP and have their session cookies stolen on a hostile network.
rule: missing-hsts-header
- 16MEDIUM
dangerouslySetInnerHTML usage
Inserts raw HTML and can introduce XSS if the content is not strictly sanitized. AI tools sometimes use this when a safer alternative exists.
rule: dangerously-set-inner-html
- 17MEDIUM
eval() or new Function() in client code
Dynamic code evaluation, frequently a vector for XSS or supply-chain compromise. Almost always avoidable.
rule: eval-or-new-function
- 18MEDIUM
Admin routes exposed in client bundle
Routes like /admin or /internal defined client-side. Often pair with weak server-side auth checks.
rule: admin-routes-exposed
- 19LOW
Missing X-Frame-Options header
Your app can be embedded in an iframe by any site, enabling clickjacking attacks.
rule: missing-x-frame-options
- 20LOW
Missing X-Content-Type-Options: nosniff
Browsers may MIME-sniff responses, enabling certain XSS variants.
rule: missing-x-content-type-options
- 21LOW
Outdated React version
React below 18.0.0. Older versions miss security patches and modern XSS mitigations.
rule: outdated-react-version
- 22LOW
Service worker intercepting auth requests
A service worker that touches Authorization headers warrants review — it can leak tokens to caches or wrong origins.
rule: service-worker-misuse
- 23INFO
Vibe-coding platform detected
Identifies which AI tool built your app (Lovable, Bolt, v0, Cursor, Replit) so we can serve you platform-specific fix prompts.
rule: vibe-coding-platform-detected
See what we'd catch on your app.
Free public-URL scan, no signup. Results in 30 seconds.
Scan for free