CyberChecker

• 

  https://www.cyber-checker.com/

I was freelancing as a security consultant when I noticed a disturbing pattern: 94% of the production sites I audited had critical vulnerabilities. Exposed API keys in JavaScript bundles, missing security headers, publicly accessible .env files, Supabase projects without Row Level Security policies.The worst part? Most founders had no idea. They'd pass compliance audits (SOC 2, ISO 27001) but still have their Stripe secret keys hardcoded in their React app.Then I ran my own SaaS through the same checks. I found 6 critical issues in my own code. An exposed API key that had been sitting in my production bundle for 3 months. That's when I realized: if I'm making these mistakes as someone who knows security, what about everyone else?I built CyberChecker to solve this: automated security scanning that finds the vulnerabilities that actually matter, in under 60 seconds.What it doesCyberChecker runs 50+ automated security checks on any website:🔐 SSL/TLS Security

Certificate expiration detection Insecure protocol detection (TLS 1.0/1.1) HSTS header validation HTTPS enforcement checks 🛡️ Security Headers

Content-Security-Policy presence X-Frame-Options (clickjacking protection) X-Content-Type-Options CORS misconfiguration detection Referrer-Policy implementation 🔑 Exposed Secrets Detection

API keys in JavaScript bundles (Stripe, AWS, OpenAI) Database connection strings JWT tokens in client-side code OAuth credentials Uses entropy analysis + context validation (not just regex) 🗄️ Database Security

Supabase Row-Level Security (RLS) policy validation Exposed database credentials Error message disclosure Connection string leakage 📁 Sensitive File Exposure

.env configuration files .git repository access Database backups (.sql, .dump) Server config files (wp-config.php, database.yml) 🐛 OWASP Top 10

SQL injection pattern detection XSS (Cross-Site Scripting) vulnerabilities CSRF token presence in forms Insecure cookie configurations Directory traversal patterns 💳 Payment Security

Stripe API key exposure Test vs live key detection Webhook endpoint security The scan completes in ~60 seconds and provides:

Free preliminary scan: Shows vulnerability count by severity $39 full report: Exact locations, copy-paste code fixes, step-by-step remediation, downloadable PDF How I built itTech Stack

Frontend: Next.js 14, React, TailwindCSS Backend: Next.js API Routes on Vercel Edge Functions Database: Supabase (PostgreSQL with JSONB storage) Payments: Stripe Checkout PDF Generation: jsPDF

Challenges I faced1. False Positives in Secrets DetectionInitial version flagged 60% false positives. Comments like // API key goes here triggered alerts.Solution: Built entropy analysis + context validation. Now down to ~5% false positive rate.2. Vercel Edge Function TimeoutsVercel Hobby tier has 10s timeout. Some scans took 45+ seconds.Solution:

Parallel execution (not sequential) Aggressive HTTP request timeouts (3s max) Skip slow scanners gracefully

1. Rate Limiting by Target SitesSome sites (especially Cloudflare-protected) blocked the scanner.Solution: Added rotating user agents, respectful delays, and clear error messages explaining limitations. Deployment: Vercel

Built With

• next
• stripe
• supabase
• vercel