Every way in. All in one scan.

The classic ways untrusted input becomes code execution or data leak.

• SQL injection (error, boolean & time-based)
• NoSQL / operator injection
• Cross-site scripting (reflected, stored, DOM)
• Command & template injection probes
• Open redirect parameters
• Server-side request forgery (SSRF) surfaces
• Prompt-injection vectors in AI endpoints

Keys and tokens that shouldn't have shipped to the browser.

• Supabase / Firebase / Clerk keys in client bundle
• Stripe secret & restricted keys
• AWS / GCP / Azure credentials
• OpenAI / Anthropic API keys
• JWT secrets & hardcoded passwords
• Source maps leaking server code
• .env & .git exposure

The HTTP-level hardening attackers check first.

• Content-Security-Policy presence & strength
• Strict-Transport-Security (HSTS)
• X-Frame-Options / clickjacking
• X-Content-Type-Options
• Referrer-Policy & Permissions-Policy
• TLS version & cipher suite strength
• Certificate validity & chain
• Cookie flags (Secure, HttpOnly, SameSite)

Where Supabase, Firebase, and friends quietly expose your data.

• Supabase RLS disabled or permissive policies
• Firebase security rules misconfig
• Public storage buckets
• Anonymous read/write on tables
• Exposed Postgres / GraphQL endpoints
• Service-role key in client

Broken access control — OWASP's #1 risk, year after year.

• Missing / weak CSRF protection
• Permissive CORS (wildcard with credentials)
• JWT algorithm confusion (alg:none, HS/RS)
• Insecure direct object references (IDOR)
• Debug / admin endpoints reachable
• Rate-limiting absence on auth routes

Dependencies, configs, and the long tail of exposure.

• Known-vulnerable JS libraries
• Outdated framework fingerprints
• Verbose error / stack-trace disclosure
• Directory listing enabled
• Subresource integrity missing
• Dangerous CORS preflight handling

Can Google find, crawl, and index the pages you care about?

• robots.txt validity & blocked paths
• XML sitemap presence & freshness
• Canonical tags & duplicate content
• noindex / nofollow audit
• HTTP status & redirect chains

The signals that decide how you appear in results.

• Title & meta description quality
• Heading hierarchy (H1–H6)
• Open Graph & Twitter cards
• Image alt text coverage
• Structured data (schema.org) validity

Real-user performance signals Google ranks on.

• Largest Contentful Paint (LCP)
• Cumulative Layout Shift (CLS)
• Interaction to Next Paint (INP)
• Render-blocking resources
• Mobile-friendliness & viewport

Depth, internal structure, and crawl efficiency.

• Internal linking depth & orphan pages
• Content length & readability
• Broken links & 404s
• hreflang / i18n correctness

Which answer engines are even allowed to read you.

• GPTBot / ChatGPT-User access
• ClaudeBot / anthropic-ai access
• PerplexityBot access
• Google-Extended (AI Overviews) access
• WAF / Cloudflare bot rules blocking crawlers

Can the model parse and quote your content without JS?

• Server-rendered vs JS-only content
• Clean semantic HTML structure
• Heading & list parseability
• Schema depth for answer extraction
• Table & FAQ markup

Why an engine would cite you over someone else.

• Authorship & byline signals
• Publish / update dates
• Source citations & outbound links
• Per-engine citation matrix (7 engines)
• E-E-A-T trust markers