YOU GOT PWNED

[DEMO TARGET] This site is intentionally vulnerable

$ unpwned scan demo.unpwned.ioSCORE: 32/100

[CRITICAL] 2 critical vulnerabilities found

[HIGH] 2 high severity issues detected

[MEDIUM] 4 medium severity warnings

[LOW] 2 low severity notices

Vulnerabilities Found

🔓No Content-Security-Policycritical

🚨API keys exposed in JS bundlecritical

👁Open API endpoints (no auth)high

🌍Permissive CORS (Allow: *)high

🛡No HSTS headermedium

🍪Insecure cookiesmedium

🗺Source maps exposedmedium

📜No Privacy Policy or ToSlow

📧No SPF/DKIM/DMARClow

⚠No rate limitingmedium

Exposed Secrets in JS Bundle

NEXT_PUBLIC_SUPABASE_URL = "https://xyzfakeproject.supabase.co
"
NEXT_PUBLIC_SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6Ik..."
NEXT_PUBLIC_OPENAI_API_KEY = "sk-fake-demo-key-do-not-use-1234567890abcdef
"
NEXT_PUBLIC_STRIPE_KEY = "pk_test_fake_demo_key_1234567890abcdef
"
NEXT_PUBLIC_API_SECRET = "demo_secret_exposed_in_client_bundle_12345
"

Is your app this exposed?

Scan your site for free with UNPWNED — AI-powered security in 60 seconds

Scan Your Site Free

This is a deliberately vulnerable demo site by UNPWNED

All API keys and data shown are fake — no real secrets are exposed

unpwned.io — One-scan security for vibe-coded apps