complyeah
Security scan · Cursor

Free security check for apps built with Cursor

Cursor writes a lot of code quickly - including, sometimes, a secret hardcoded where it shouldn't be. Run a free external check to catch the keys and config that end up shipped to the browser.

Free, no card. You verify you own the domain before anything runs.

Common Cursor security pitfalls we check

Hardcoded secrets in generated code

AI-generated snippets often inline an API key to 'just make it work'. If that file reaches the client bundle, the key is public.

Server env leaked to the client

Misusing framework env prefixes (e.g. NEXT_PUBLIC_) can push a server secret into the front end. We scan the shipped bundle for provider-shaped keys.

Weak or missing security headers

HSTS, X-Content-Type-Options, and clickjacking protection are easy to forget.

TLS/redirect gaps

Plain HTTP served without redirecting to HTTPS on the deployed domain.

The free scan covers the externally-visible issues above (exposed secrets, TLS, security headers, email-DNS). When a customer asks for SOC 2, the same account upgrades to the full $50 external pentest with an auditor-ready report.