Exposed API keys
Anthropic, OpenAI, Stripe, and AWS credentials leaking from client bundles where any visitor can read them.
Free · No credit card · 60-second scan
How healthy is your app,
really?
Paste your URL. We run 8 essential checks across security, performance, cost, and UX, and show you every result. Around 60 seconds.
Read-only · Non-destructive · Around 60 seconds
Report ID: AP-7721-X
Free scan · sampleAudit Results
apppulse.net
CRITICAL
HIGH
RESOLVED
01
Secret scan
SecurityPassNo findings on this check.
02
RLS probe
SecurityPassNo findings on this check.
View 6 more checks — the report lists every result, pass, fail, partial, or pending coverage.Hide checks
03
Security headers
SecurityPassCSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy all set.
04
Public storage scan
SecurityPassNo public Supabase storage buckets detected.
05
Performance audit
PerformancePassLighthouse performance score above threshold; Core Web Vitals pass.
06
Cost projection
CostPassPage weight within budget; compression and image formats optimised.
07
Mobile responsiveness
UXPartialMobile viewport overflow check pending the Playwright migration.
08
Accessibility basics
UXFailInsufficient color contrast detected on at least one text element.
21 scans run · 23 critical & high findings surfaced · Built for apps shipped with
- Lovable
- Bolt
- Cursor
- v0
- Replit
- Supabase
- Vercel
What we catch
Most apps ship with hidden risks no one catches.
CI lints your code and types. It does not catch leaked keys, permissive policies, or 4-megabyte hero images. We do.
Tables anyone can read
Supabase RLS off on tables that should be locked. Anon-role queries return rows that should never have left the server.
Cloud bills that grow silently
Heavy assets, missing compression, oversized images that quietly inflate egress and CDN spend month over month.
Mobile UX that breaks at the edges
Failing color contrast, unlabeled inputs, tap targets under 48px — friction your users won't email you about.
How it works
Three steps. Sixty seconds.
- 01
Paste your URL
Public app URL plus your email. No deploy keys, no repo access, no install.
- 02
We run 8 essential checks in parallel
Outside-in scanners hit your live app: bundles, headers, RLS, storage, Lighthouse. About 60 seconds.
- 03
Get your AppPulse report
Every check shown — pass, fail, partial, or pending. Findings only; your team handles the fixes.
Coverage
What we check, by dimension.
Essential checks across 4 dimensions. Every result shown — no teaser, no upsell trick.
- Secrets and API key exposure
- Database security and Supabase RLS
- Security headers (CSP, HSTS, X-Frame-Options)
- Public storage bucket scan
Pricing
From free to investor-ready.
Start with a free scan. Upgrade when you want depth. Findings only. Flat fees. No retainer.
Free Scan
60-second automated scan, every result shown.
$0per scan
- 8 essential checks across all 4 dimensions
- All results shown — no top-N cap
- AppPulse Score: A–F
- Email-delivered report
Spot Check
48-hour deep audit with reviewer pass.
$150one-off
- Everything in Free (the 8 essential checks)
- Plus 17 deeper checks (25 total)
- Code-level, post-login, multi-route Lighthouse
- 5-page report + 10-min Loom
- Reviewer pass + 1 round of clarification
Standard Audit
5-day expert audit with strategy call.
$400one-off
- Everything in Spot Check
- 75 deep checks across 8 categories
- 15-page report + 25-min Loom
- 30-min strategy call
- Cost projection at 10× and 100× users
- Prioritised fix roadmap
Specialised audits
Cost Optimization
$350Egress, compute, and storage waste audit with projection at 10× users.
Learn moreAI-Feature Safety
$450Prompt-injection surface, key handling, and rate-limit review for AI features.
Learn moreInvestor-Ready
from $2,500Architecture diagram, risk register, and tech-DD pre-fill for raises.
Learn moreFAQ
Frequently asked questions
Will scanning hurt my app?
No. The Free Scan is read-only and non-destructive. Outside-in only — it touches your public app URL the same way a browser does.
Do you store my code?
Not for the Free Scan — there's no code to store. It runs entirely outside-in. For Spot Check and above, source is pulled into an ephemeral sandbox and destroyed after the scan completes.
Is the free scan really free?
Yes. Revenue comes from Spot Check and above. One free scan per app every 60 days, no card required.
What does the free scan cover?
Eight named checks: secret scan, Supabase RLS probe, security headers, public storage, performance, cost projection, mobile responsiveness, and accessibility basics. Every result is shown — pass, fail, partial, or pending coverage.
What if my app gets an A?
You sleep better, and you get an offer for the AppPulse Verified badge tied to a Continuous Monitoring subscription.
Can I scan an app I don't own?
No. Outside-in scans against URLs you don't own require an authorisation agreement. The free scan flow assumes you own the URL you submit.
Do you support mobile apps?
Today we cover web. Native iOS and Android scanning is on the roadmap; the mobile-responsiveness check ships now and full native support lands with the Playwright migration.
Where are you based?
Delaware, USA and Lagos, Nigeria. Operated by Malon Global Tech.
Do you sign NDAs?
Yes, before code access. Free Scan needs no NDA because we never see your code.
How long does an audit take?
Free Scan returns in around 60 seconds. Spot Check turns around in 48 hours. Standard Audit ships in 5 business days.
Stop guessing what's wrong with your app.
Around 60 seconds. Every result shown. Decide what's worth fixing.