Home CORE Products EngageCORE DeliverCORE Soon RampCORE Soon VerifyCORE Soon SiteCORE Soon ShieldCORE New Free Tools Blacklist Intelligence DMARC Analyzer Domain Diagnostics Email Header Analyzer Email Security Analyzer Spam Score Tester Bounce Analyzer Company Resources & Blog Contact Schedule Free Consultation
100% Free — 72+ Detection Rules — No Signup

Catch the secrets your web app leaks before attackers do.

ShieldCORE scans any web application for exposed API keys, insecure token storage, missing security headers, dangerous code patterns, and exposed endpoints. One scan. Line-by-line highlights. Concrete fixes for every finding.

Scan any URL — free, unlimited, no signup
Secret detection (29 patterns) Security headers (9 rules) Endpoint probes (24 paths) Paste-mode for auth'd content
72+
Detection Patterns
10
Finding Categories
<3s
Scan Time
100%
Free Forever
The Risk Is Everywhere

Your frontend is a public confession of your secrets.

The browser is not a safe place for credentials. Every day, scrapers harvest leaked API keys from JavaScript bundles faster than developers can rotate them.

Leaked API Keys

Developers ship AWS, Stripe, OpenAI, and GitHub tokens straight into frontend bundles. Automated scrapers find these within minutes of deployment. The first time you see the bill, you've already lost.

12M+ secrets leaked publicly in 2024 alone

Tokens In localStorage

"It's sessionStorage, it's safer" — no, it isn't. Any XSS payload, any compromised third-party script, any browser extension can read every token your app stores. Session hijacking with one line of JS.

XSS remains the #1 web vulnerability (OWASP 2024)

Missing Security Headers

No CSP. No HSTS. No X-Frame-Options. Every missing header is a class of attack you're not defending against — from clickjacking to protocol downgrade to cross-site script injection.

Only 27% of top sites have proper CSP
Full Coverage

Nine detection engines, one unified report.

Every scan runs the full battery of checks. Every finding includes severity, a plain-English explanation, and the exact fix.

Secret Scanner

Detects AWS, Stripe, Google, Azure, OpenAI, Anthropic, GitHub, GitLab, Slack, Twilio, SendGrid, Mailgun, Firebase, Supabase, and more — plus generic shape-based detection for custom tokens.

29 patterns

Security Headers

Validates HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and CORP — flagging both missing headers and insecure values.

9 rules

Exposed Endpoints

Probes common sensitive paths: .env files, .git directories, backup archives, admin panels, phpMyAdmin, server-status, and more. Positive-signal checks too (security.txt, robots.txt).

24 paths

Dangerous Code Patterns

Flags eval(), innerHTML assignment, document.write, postMessage with wildcard origin, CORS wildcard with credentials, HTTP URLs in production, debug flags, and verbose console logging.

10 patterns

Storage & Cookies

Inspects every Set-Cookie header for Secure, HttpOnly, and SameSite flags. Scans code for auth tokens written to localStorage or sessionStorage — the #1 way XSS escalates to full account takeover.

Per-cookie audit

Third-Party Scripts

Inventories every external JavaScript source. Each entry is a supply-chain trust decision — when a CDN gets compromised, every embedder inherits the breach.

Supply-chain map

Tech Stack Fingerprinting

Identifies WordPress, Shopify, React, Next.js, Vue, Angular, Drupal, Laravel, Django, Rails — flags version disclosures that help attackers target known CVEs.

10 frameworks

Line-by-Line Highlights

Every finding is rendered inline on the exact line it was detected. Click a highlight to jump to the finding card. Click a line number to jump back. Zero hunting.

Visual audit

Paste Mode (Client-Side)

Paste HTML straight from your browser's DevTools to scan authenticated content. The data never leaves your machine — perfect for auditing your own SaaS without risking credential exposure.

100% private
See It In Action

This is what a leaky SaaS looks like.

Real patterns from real-world security incidents. ShieldCORE highlights each one in place — the fix is one click away.

shieldcore / rendered HTML — app.leaky-saas.demo
12window.APP_CONFIG = {
13 aws_access_key_id: "AKIAIOSFODNN7EXAMPLE",
14 stripeKey: "sk_live_51H7abc123xyz456deFG789...",
15 openaiKey: "sk-proj-abc123DEF456ghi789JKL...",
16 slackHook: "https://hooks.slack.com/services/T01ABC..."
17};
18
19function login(user, pass) {
20 fetch('/api/login', {...}).then(data => {
21 localStorage.setItem('auth_token', data.jwt);
22 document.getElementById('u').innerHTML = user;
23 eval(data.welcomeScript);
24 });
25}
F
Grade
16
Findings
5
Critical
Try The Scanner
How It Works

From URL to remediation in four steps.

1

Choose Your Mode

Enter a public URL, paste rendered HTML from your authenticated app's DevTools, or bulk-scan up to ten endpoints at once.

2

72+ Checks Run

Secrets, headers, endpoints, dangerous code, cookies, scripts, and stack — all analyzed in a single pass with line-accurate location tracking.

3

Inline Findings

Every vulnerability highlighted in the rendered HTML. Severity-color-coded. Click a highlight to see the fix, jump between matches, filter by severity.

4

Fix & Rotate

Every finding ships with concrete remediation — the exact rotation URL for keys, the config directive for headers, the safer API for dangerous patterns.

Built For

Who needs this yesterday.

Founders & Solo Devs

You ship fast and you know it. Before your next launch, run ShieldCORE and find out what you accidentally left in the bundle. Rotate before anyone else notices.

Agencies & Consultants

Win discovery calls with a security audit. Run ShieldCORE on a prospect's site, walk them through the findings, and close the retainer. White-label reports coming in ShieldCORE Pro.

MSPs & IT Providers

When a client reports "something weird," open ShieldCORE first. Get grounded findings in under three seconds, then scope the remediation engagement accordingly.

DevOps & Release Engineers

Add ShieldCORE's public API to your pre-deploy checks (coming soon). Block releases that leak secrets or drop critical headers. Catch regressions before they reach prod.

FAQ

Honest answers.

Yes. The URL scan, paste mode, and all 72+ detection rules are free and unlimited. The paid tier (coming later) adds continuous monitoring, white-label reports, and API access for CI/CD integration.
Only with explicit authorization. ShieldCORE is a read-only analyzer — it never sends exploit payloads or attempts authentication — but the CFAA and similar laws in most jurisdictions still require permission before probing third-party systems. Every scan requires you to confirm you have that permission.
Use Paste mode. Open your app while logged in, open DevTools, copy the rendered HTML (right-click on <html> → Copy → Copy element), and paste it into ShieldCORE. The content never leaves your browser — we do not accept credentials and we do not log into your applications.
Yes. Paste mode runs the entire engine in your browser — no network request is made, nothing is logged, nothing is transmitted. You can verify this yourself by opening DevTools → Network tab and running a paste scan. You'll see zero requests leave the page.
No scanner finds everything, and any vendor who claims theirs does is lying. ShieldCORE catches the classes of issue that consistently cost businesses the most real money — leaked credentials, insecure token storage, missing defensive headers, and exposed sensitive paths. It's not a substitute for penetration testing or a dedicated DAST/SAST tool, but it will catch in three seconds what often takes auditors hours to find.
Each finding carries a confidence level. High-confidence matches use shape-specific regex (AWS keys, Stripe live keys, etc.) and are reliable. Low-confidence matches (like generic api_key variables with nearby high-entropy values) are flagged for human review — we tell you the reason, and you decide.
SiteCORE monitors your website portfolio continuously — uptime, performance, SEO, broken links, and high-level security posture. ShieldCORE runs deep security analysis on a single target at a time. When SiteCORE ships later this year, it will run ShieldCORE's engine automatically across every asset and alert you the second a regression appears.
Not yet. It's on the roadmap for ShieldCORE Pro. The goal is a single HTTPS endpoint you can curl from your CI pipeline that returns a structured report and a pass/fail exit code.

Find out what your app is leaking.

One scan. Under three seconds. Every finding mapped to a fix. No signup. No credit card.

Launch Scanner Talk To Us