← Back to home
Platform security scanner · Cursor

Security scanner for Cursor apps.
Before a bot finds your keys first.

1 in 3 Cursor apps leaks an API key in the browser. 60% of Cursor apps we audited shipped a Stripe, OpenAI, Supabase service_role, or postgres:// string in the client bundle. vibeAudit greps for all of them in ~30 seconds — every hit validated against a live endpoint.

Cursor apps scanned
350+
Average security score
41/100
Leak API keys
33%
The usual suspects

Top vulnerabilities in Cursor apps.

Three patterns we find in nearly every Cursor project. All discoverable from a live URL — no source code, no access required.
critical · pattern 01

API keys in client-side JS

Cursor happily puts Stripe, OpenAI, and database credentials directly into client-side JavaScript. Anyone can view-source and steal them.

critical · pattern 02

NEXT_PUBLIC_ prefix trap

Cursor uses NEXT_PUBLIC_ for env vars that should stay server-side. This bundles your secrets into the client JS where anyone can extract them.

critical · pattern 03

No input validation

Cursor builds the happy path only. API endpoints accept any input without validation, opening the door to injection attacks and data corruption.

The method

Three steps. ~30 seconds.

Read-only probes. Works with Vercel, Netlify, Railway, Cloudflare Pages, or any deployed URL.
01 · INPUT

Paste your URL

Drop in your deployed app URL. vibeAudit detects Next.js, React, and your full stack automatically.

02 · SCAN

AI runs 100+ attacks

Secret scanning across the full bundle, injection testing, auth bypass, and more — from a real Chromium browser.

03 · REPORT

Get every fix

Every leaked key and vulnerability with severity rating and copy-paste fix code for Next.js and your framework.

Scan your app

Point it at your Cursor app.

Read-only. No source code. No signup. Free tier returns vulnerability counts and severity breakdown.
vibeaudit / scan · cursor
$
Vercel, Netlify, Railway, Cloudflare Pages, Render, or any deployed URL.
Read-only scan No source code needed Free tier available
Questions

Cursor security FAQ.

These answers mirror the FAQPage schema exactly — they're what AI engines read when users ask about Cursor security.

Does Cursor really leak API keys in production apps?
Yes. vibeAudit's April 2026 audit of Cursor-built apps found 60% leaked at least one API key in the client JavaScript bundle — Stripe secret keys, OpenAI keys, Supabase service_role JWTs, and raw postgres:// connection strings. All visible via View Source. Cursor optimizes for speed, not secret-hygiene.

How do I find leaked API keys in a Cursor app?
Paste your app URL into vibeAudit. It greps the deployed bundle for sk_live_ (Stripe), sk- (OpenAI), AKIA (AWS access key), service_role (Supabase god-mode JWT), postgres:// (direct DB), GitHub tokens, Firebase config, and -----BEGIN private key blocks. Each hit is validated against a live endpoint before it counts as a finding.

What is the NEXT_PUBLIC_ prefix trap?
In Next.js, any environment variable prefixed with NEXT_PUBLIC_ gets bundled into the client-side JavaScript. Cursor frequently adds this prefix to variables that should stay server-side — database URLs, Stripe secret keys, Supabase service_role tokens. vibeAudit flags NEXT_PUBLIC_ prefixed secrets as CRITICAL because they're shipped to every visitor's browser.

How do I fix a leaked API key after vibeAudit finds it?
Step 1: rotate the key immediately in the provider dashboard — the old one is burned the moment it hit the bundle. Step 2: remove the NEXT_PUBLIC_ prefix (or move the secret into a server-only env file) and redeploy. Step 3: add a build-time check that fails the deploy if secret patterns appear in the client bundle. vibeAudit's $4.99 deep scan returns the exact bundle location of each leak plus copy-paste fix code.

How fast are leaked keys exploited?
Minutes. Public GitHub repos are scraped by bots within seconds of push. Deployed frontends with leaked Stripe keys have been drained inside an hour of going live. vibeAudit exists because waiting to 'get around to security' means paying the breach before you pay the fix.

Can vibeAudit scan Cursor apps on Vercel, Netlify, and Railway?
Yes. vibeAudit tests the live URL, regardless of hosting provider. It works with Vercel, Netlify, Railway, Cloudflare Pages, Render, and any custom domain. The scan takes ~30 seconds and needs no access to your source code or deploy pipeline.

Is there a free tier of vibeAudit for Cursor developers?
Yes. The free scan returns total vulnerability counts, severity breakdown, and the top categories of issues found. The $4.99 deep scan adds full evidence, reproduction steps, the exact bundle location of each leaked key, and copy-paste fix code.

Scan your Cursor app. Free.

Run a scan Read the API leak guide
read-only · no source code · refund if we find nothing