Changelog — Security Scanner

2026-04-25

New: 14 scan modules — XSS probe, cookie audit, Firebase deep probe, unsafe JS patterns, AI code fingerprinting, hallucination detection, GraphQL mutation testing, WebSocket probe, open redirect, CSP bypass analysis, HSTS preload check, DNS zone transfer, Supabase Edge Function probe, dependency confusion check. Scanner now runs 80+ modules.
New: PDF export for scan reports + OWASP Top 10 compliance report (PDF)
New: 'Copy fix to Cursor' button on every finding
New: trust badge — embeddable SVG showing your scan grade
New: CI/CD webhook — trigger scans from GitHub Actions, Vercel, Netlify deploy hooks
New: Slack/Discord notifications on scan completion
New: finding suppression — mark findings as accepted risk / false positive / won't fix
New: disclosure automation API — generates disclosure drafts for CRIT targets
New: public scan results pages at /scan/{host} (SEO-indexed)

2026-04-24

New: blog post 'Beyond Supabase RLS: 5 other critical vulnerabilities'
New: Q2 2026 State of Vibe-Coded Security report at /reports/2026-q2
New: platform landing pages — /for/lovable, /for/bolt, /for/replit, /for/vercel
New: free tool pages — /tools/supabase-rls-check, /tools/header-check, /tools/xss-check, /tools/ssl-check, /tools/api-key-check
New: vulnerability reference pages — /vulns/supabase-rls, /vulns/idor, /vulns/api-key-leak, etc.
New: integration docs — /docs/integrations/github-actions, vercel-deploy, cursor-mcp
New: Platforms dropdown menu in header navigation
Fix: github-dork false positive reduction — keyword dorks capped at MEDIUM, min 2 hits required
Fix: blog post technical accuracy corrections (per-platform rates, table frequencies)

2026-04-16

New: scan-without-signup quick scan on landing page hero
New: mobile-responsive landing page (hamburger menu, stacked layout)
New: mobile-responsive dashboard (sidebar drawer, adapted grids)
New: blog post 'Lovable vs Bolt vs Replit: who's leaking the most Supabase data?'
New: /favicon.svg, OG/Twitter cards, FAQ section, /sitemap.xml, /robots.txt, /blog/rss.xml
New: /changelog, /status, /api/newsletter + signup form in footer
Fix: blog card clicks (removed nested <a> tags)
Fix: ChatGPT OAuth flow (preserve ?next= through Google round-trip, SameSite=None cookies)

2026-04-15

New: 'What we check' capabilities section on the homepage — 80+ modules across 7 categories
New: blog redesign with hero + card grid + tags + reading time
New: /.well-known/security.txt for responsible-disclosure researchers
New: per-user hourly scan rate-limit + email-verify gate + target-add flood detection
New: public /health endpoint with live scanner state
Fix: text selection in finding rows no longer collapses the row
Infra: scaled to t3.2xlarge for HN-launch traffic; CF cache + rate-limit rules deployed
Billing: Stripe production live (PAYG, Monthly, Pro all chargeable)

2026-04-14

New: 14 modules — GraphQL introspection, default-port DB probe, infra-leak paths, S3/GCS bucket extraction, OAuth open-redirect, JWT weak-secret crack, session entropy, Hasura anonymous-role audit, typosquat detection, K8s/Docker unauth API checks, Supabase service_role JWT detection, plus 17 new secret patterns
Fix: ai-triage no longer over-demotes deterministic findings
Fix: Supabase deep-probe now scans JS bundles (was HTML-only) and probes real table names extracted from .from() / .rpc() / .storage / .functions calls

2026-04-13

New: AI chat prompt-injection probe with 2 minimal canary probes per endpoint
New: IDOR / BOLA sweep with PII-leak detection in response bodies
New: WAF / CDN fingerprinting (Cloudflare, Akamai, Fastly, Vercel, Netlify, etc.)

2026-04-12

New: scan-diff UI — compare two runs for the same target, see what changed
New: per-scan email notifications (first-scan welcome, daily digest, CRIT/HIGH alerts)
Fix: scoping bug — UNIQUE(host) is now per-user, not global