Report
What AI-built apps most commonly leak
When an AI-built app has an exposed surface, the same handful of mistakes keep showing up. Below is the ranking of exposure types we see most often, anonymized. This is what we see, ordered by how often we see it. It is not an estimate of how common these problems are across all apps. Read the methodology before you read the ranking.
Updated July 2026. JavaScript and TypeScript apps.
Methodology, read this first
This ranking comes from more than 1,000 completed app scans. Every scan is read-only and outside-in: it reads only what a browser already downloads and checks database access from the outside.
The sample is selection-biased. Most of these apps were found by a crawler that surfaces apps precisely because they look likely to be exposed. Only a small, self-selected set came from builders who ran our public scanner on their own app. That means the apps here are not a random sample of the web.
So we do not publish a "X percent of apps leak" number, and we do not, and cannot, tell you how common any of this is in the wild. What we can honestly say is this: among the apps we reviewed that did have an exposed surface, here is which kinds of exposure we ran into most. Ordinal ranking, no prevalence claim, no app named.
Most common exposures, in order
Ranked by how often we see each type when an app has an exposed surface.
- 1
Missing or weak security headers and transport settings
Absent security headers, a weak or missing Content-Security-Policy, cookies set without protective flags, or missing HTTPS. Individually minor, together they widen every other risk.
How to check yours: The free scan reads your response headers and transport setup and lists what is missing. Run the free scan.
- 2
Other exposed surfaces
Everything else the outside-in scan can reach: reachable config or metadata files, verbose error and stack traces, open redirects, unsafe CORS, and unauthenticated API endpoints.
How to check yours: The free scan probes these common paths passively and reports anything that answers. Run the free scan.
- 3
Public source maps that reveal your code
Production source maps served to anyone, handing over your original, unminified code and sometimes secrets or private endpoints that were meant to stay internal.
How to check yours: The free scan requests the source-map paths a browser would and tells you if your code is being published. Run the free scan.
- 4
Open or world-readable database
A backend where the public key can read rows it should not, usually Row Level Security left off, so any visitor's key can pull user data straight from the API.
How to check yours: The free scan checks your database access from the outside using only your app's own public key, without logging in or writing anything. Run the free scan.
- 5
Exposed API keys and secrets in the browser bundle
A live secret (a service key, a database credential, a payment or model API key) shipped inside the JavaScript any visitor downloads. Once it is in the bundle, it is public.
How to check yours: The free scan reads only what a browser already downloads and flags known secret patterns in your bundle. Run the free scan.
Check your own app
See what your app leaks to any visitor
Paste your app URL. The scan reads only what a browser already downloads and checks your database access from the outside, then shows you exactly what is exposed. Read-only, no login, free.
If the scan finds something
We fix the finding, prove the fix in an isolated sandbox, and hand you a reviewable pull request. Fixing a finding starts at $149. Full refund if we miss a confirmed issue.