How do I know if my website is secure?

Updated
Short answer

Run four checks: (1) scan for leaked secrets in your code, (2) verify your database access controls, (3) check your HTTP security headers, (4) run a vulnerability audit on your deployed URL. Do each yourself with trufflehog + Supabase Studio + securityheaders.com — or request Securie access to have all four run when your repo is enabled.

The 5-minute assessment for any website:

  • **Leaked secrets check** — run `trufflehog git file://.` or `gitleaks detect` locally. Both are free open-source tools.
  • **Database access** — if using Supabase, open Studio → Authentication → Policies. Every table with user data needs RLS ON + a policy scoped by `auth.uid()`. Firebase: check your rules file is not default-allow.
  • **Security headers** — run securityheaders.com on your deployed URL. Missing CSP, HSTS, X-Frame-Options are red flags.
  • **Vulnerability scan** — run `npm audit --production` locally; check your framework version against the latest CVEs.

Common 'not secure' signals: - Environment variables starting with NEXT_PUBLIC_ / VITE_ containing secrets - Supabase / Firebase with default-allow policies - No HTTPS redirect (still happens) - Dependencies with high-severity CVEs - No rate limit on paid-API endpoints

Once you know, the fixes usually take 5-30 minutes each. When your repo is enabled, Securie runs these checks with a plain-English report and proposed PR fixes. Request access at /scan.

People also ask

Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which shi
How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv