← All guides

Guide · 2 min

Scan from the browser

The fastest way to run your first scan. No install, no account, no command line. Best for indie hackers, founders, and anyone who just wants to know if their app is hackable.

1

Open the scanner

Visit the scan page. If you're not signed in, you'll get one free scan; signing up unlocks all 131 rules and unlimited scans.

Open the scanner →
2

Pick how you want to upload code

You have three options. Pick whichever is easiest:

  • 📁 Upload a folder or ZIP

    Drag your project folder or a ZIP into the drop zone. The scanner will extract source files only —node_modules,.git, build outputs are skipped automatically.

  • 📋 Paste a single file

    Use the “Paste code” tab to drop in a single file. Useful for testing one specific function or webhook handler.

  • 🐙 Paste a public GitHub URL

    Paste any public GitHub repo URL. The scanner clones it server-side and scans the source. For private repos, use the CLI on your own machine — see theCLI guide.

3

Wait ~5 seconds

The scan runs against 131 security rules tuned for AI-generated code (Cursor, Bolt, Lovable, Replit patterns). Most projects finish in 2–8 seconds.

What you should see while it runs:

  • · “Extracting files...” (if you uploaded a ZIP)
  • · “Scanning N files for vulnerabilities...”
  • · A grade circle (A+ to F) and a list of findings
4

Read the findings

Findings are sorted by severity. The dashboard now also surfaces a “Top Fixes to Make Right Now” card with the three highest-severity issues for the latest scan.

🔴 Critical

Fix immediately. These are exploitable. Examples: hardcoded API keys, unprotected webhooks, SQL injection.

🟠 High

Fix before your next deploy. Examples: missing auth on admin routes, weak crypto, CORS misconfigs.

🟡 Medium

Plan to fix this sprint. Examples: insecure cookies, missing security headers.

🔵 Low

Best-practice fixes. Examples: console.log of sensitive data, missing rate limit comments.

5

Apply a fix and re-scan

Each finding comes with a copy-paste fix snippet. Apply it, then run the scan again. The dashboard will show how many issues you fixed compared to your previous scan.

Troubleshooting

  • “ZIP file too large”

    Re-zip the project without node_modules, .git, dist, and .next. The browser starts struggling above ~100MB.

  • “No readable source files found”

    Make sure you're uploading source code (.js, .ts, .py, .go, etc.), not compiled bundles or images.

  • “Scan failed”

    Try a smaller folder first. If it still fails, paste a single file to confirm the scanner is reachable, then email admin@xploitscan.com.

Want this to run automatically on every commit?

Next: Set up the CLI →