# Your API keys might be sitting in your JavaScript bundle right now

I ship small apps fast. Some of them I build mostly with AI tools. And every time I deployed one, the same thought nagged at me: I have no idea if this is secure. I'm not a security person. I don't know what I don't know.

The existing options didn't fit. Most scanners want to live in your CI pipeline, need access to your repo, or spit out a 40-page report full of jargon that I was never going to read, let alone act on.

So I built DeploySafe ([https://deploysafe.io](https://deploysafe.io)). The idea is simple: you paste your live app's URL, and it probes the running app the way someone poking at it would.

Here is what it checks for right now:

*   Leaked environment variables and API keys sitting in your JS bundles
    
*   Broken or missing access control on routes that should be protected
    
*   Open redirects
    
*   Missing CSRF protection
    
*   Cookies without secure flags
    
*   Vulnerable dependency versions
    
*   Exposed .git and .env files
    
*   Dangerous HTTP methods left enabled
    
*   Missing security headers
    

The part I cared about most: it does not just tell you what is wrong. Every finding comes with three things. A plain-English explanation of how the issue would actually get exploited. A rough estimate of what it would cost you if it did. And a copy-paste prompt written to drop straight into your AI coding tool, so you can fix it in a few minutes instead of researching it for an hour.

A few technical notes for anyone curious how it works:

*   It drives a real headless browser (Playwright), so it understands single-page app routes and behaves like a real session instead of just curling endpoints.
    
*   There is a triage layer that filters raw probe output down to real findings. Cutting false positives has honestly been most of the work. A scanner that cries wolf is worse than no scanner.
    
*   You can only scan targets you confirm you own or are authorized to test.
    

It is free to scan, with a small credit grant when you sign up. The deeper parts (full fix prompts, scanning behind a login) are paid through credit packs. It is a solo project, so I am being upfront about that.

If you scan something and it flags nonsense, I genuinely want to hear about it. And if there is a check you wish it ran, tell me. GraphQL introspection and subdomain takeover detection are already next on my list.

You can try it at [deploysafe.io](https://deploysafe.io). Would love your feedback.
