How do I know if my website is secure?

Short answer

Run four checks: (1) scan for leaked secrets in your code, (2) verify your database access controls, (3) check your HTTP security headers, (4) run a vulnerability audit on your deployed URL. Securie's free tools do all four in about 5 minutes, no signup required.

The 5-minute assessment for any website:

  • **Leaked secrets check** — scan your GitHub repo for committed API keys. /tools
  • **Database access** — if using Supabase/Firebase, verify Row-Level Security / rules are configured. /signup for Supabase
  • **Security headers** — run securityheaders.com or check your deployed URL manually. Missing CSP, HSTS, X-Frame-Options are red flags.
  • **Vulnerability scan** — /tools gives you a grade A-F based on the shipped JS bundle, exposed APIs, and known CVEs in dependencies.

Common 'not secure' signals: - Environment variables starting with NEXT_PUBLIC_ / VITE_ containing secrets - Supabase / Firebase with default-allow policies - No HTTPS redirect (still happens) - Dependencies with high-severity CVEs - No rate limit on paid-API endpoints

Once you know, the fixes usually take 5-30 minutes each. Installing Securie makes the check continuous.

People also ask

Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which shi
How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv