HMWHack My WebsiteSecurity scans for AI-built websitesOpen scanner

Find the security holes in your website before someone else does.

Hack My Website is an automated security scanner designed specifically for websites built with AI coding tools like Cursor, Lovable, Bolt, and v0. It runs comprehensive technical audits (using OWASP ZAP, Nuclei, and Semgrep) to identify exposed credentials, insecure endpoints, and weak session settings, delivering prioritized remediation prompts directly to founders and developers.

View sample report
Security scanner analyzing a website for vulnerabilities
scan://verified-domain
Overall risk68High
Domain ownership verified ZAP active scan completed AI Launch Score: 63/100 Safe-to-launch verdict generated
OWASP ZAP + Semgrep + Nuclei scanning pipelineAI Launch Score for launch readinessDomain ownership verification before every scanPlain-English AI report with prioritized fixes
200+checks across headers, auth, inputs, assets, and OWASP-style risks
3-8 mintypical scan window after domain ownership is verified
3 engines + customOWASP ZAP, Nuclei, Semgrep, plus AI-built website checks
Built for fast-moving teams

Security workflow, not a decorative website score.

The platform is designed around the real flow: prove the domain is yours, scan it safely, then hand the report to the person who can actually fix the issue.

Verified-domain scanning

Users prove ownership with DNS TXT or a well-known file before any scan starts.

Real scanner pipeline

ZAP, Nuclei, and Semgrep collect technical evidence instead of producing a vague score.

Founder-readable reports

Gemini turns findings into plain-English risk, priority, and remediation guidance.

AI-built website checks

Product-specific checks catch exposed source maps, public secrets, weak cookie/session settings, and risky admin routes.

Plan-aware workspace

Website limits, monthly scans, and PDF access now follow the product pricing model.

GitHub repository scans

Run secure, ephemeral SAST/DAST audits on your repository branches for keys, tokens, and package.json risks.

API & GraphQL fuzzing

Stress-test REST routes using OpenAPI/Postman collection imports, and check for exposed GraphQL schema files.

Agency white-labeling

Brand security reports with your own logo and colors, with mapping templates for SOC 2, ISO, HIPAA, and DPDP.

AI Launch Score

Before you launch your AI-built app, know if it is actually safe to ship.

Hack My Website now includes a premium scan mode for apps built with Cursor, Lovable, Bolt, Replit, Claude Code, v0, and other AI coding tools. It combines scanner evidence with app context to produce a launch-readiness score founders can understand and developers can act on. Scoring Methodology

85-100Launch Ready70-84Mostly Ready50-69Risky Launch0-49Not Production Safe
AI Launch Score63/100Risky Launch
  • Security basics
  • Auth and session safety
  • Secrets and API exposure
  • Production readiness
  • Payment and user-data risk
  • Scalability and reliability signals
STANDALONE CO-PILOT INTEGRATION

Direct copy-paste prompts for Cursor & Claude Code

Instead of just delivering a generic security PDF of errors, our scanner translates every code-level vulnerability into specific, copy-paste prompts. Feed these instructions directly back into your AI editor (Cursor, Claude Code, Lovable, or Bolt) to automatically refactor and patch the vulnerability with zero friction.

AI Remediation Prompt
// Copy and paste this into your AI editor to fix this issue automatically:
"Review my authentication middleware and wrap the /admin routing group with an explicit server-side is_admin boolean check to prevent unauthenticated access. Remove any hardcoded references."
Detection + reporting

Find the specific web risks that AI-built sites often ship with.

Hack My Website does not stop at scanner output. It names the issue class, shows affected targets, and translates the risk into a fix order a founder or agency can act on.

That includes AI-built website issues like exposed source maps, leaked public config, missing security headers, weak cookie settings, and suspicious admin surfaces that often ship with fast-built apps.

What we detect

  • SQL injection
  • Cross-site scripting (XSS)
  • Broken authentication
  • IDOR and access control gaps
  • Security misconfiguration
  • Exposed secrets and risky assets
  • Known web CVE patterns
  • OWASP Top 10 style issues

What you get in the report

  • Overall risk score and severity breakdown
  • AI Launch Score and safe-to-launch verdict
  • Founder-friendly executive summary
  • Prioritized remediation order
  • Affected URLs and scanner evidence
  • Cursor/Claude fix prompts for developers
  • Fix guidance for developers
  • PDF export on paid plans
Responsible scanning

Three steps from unknown risk to a fix-ready report.

  1. Register your HTTPS origin

    Add the exact website origin you own. Localhost, private IPs, and unsafe targets are rejected.

  2. Verify ownership & bypass firewalls

    Use DNS TXT or a well-known file. If behind a firewall, copy-paste our zero-friction Cloudflare/AWS WAF whitelist rule for scanner IP 168.144.94.35.

  3. Run the assessment

    ZAP, Nuclei, Semgrep, and Gemini produce a prioritized scan report.

FAQ

Frequently Asked Questions

Find quick answers to common questions about our security scans and remediation features.

What does Hack My Website do?

Hack My Website is an automated security scanner that audits your web application for vulnerabilities like SQL injection, XSS, exposed secrets, and misconfigured headers. It produces a plain-English PDF brief detailing prioritize fixes.


How does the scanner support AI coding tools?

Unlike traditional scanners that just report errors, Hack My Website translates technical vulnerabilities into exact copy-paste prompts. You can feed these directly back into AI editors like Cursor, Claude Code, Lovable, or Bolt to refactor and patch the code automatically.

How much does the service cost?

Starter is ₹1,999/mo (1 website, 3 scans/mo, manual AI Launch Score), Pro is ₹2,999/mo (3 websites, 30 scans/mo, weekly monitoring), and Agency is ₹4,999/mo (10 websites, 150 scans/mo, white-labeled PDFs). Custom plan rates are tailored for larger portfolios.


Is domain ownership verification required?

Yes. To guarantee safety and prevent unauthorized testing, every user must verify ownership of their target domain using a DNS TXT record or by uploading a specific validation file to their root path before a scan is permitted.

Pricing

Plans that match the way founders and agencies scan websites.

Paid-only beta pricing keeps the launch signal clean. Read about our Scoring Methodology to see how scores are calculated, and explore the output via the sample report before joining the waitlist.

Starter

₹1,999per month

For founders who want one website checked with a real PDF report.

  • 1 website
  • 3 scans/month
  • Manual AI Launch Score
  • PDF report

Agency

₹4,999per month

For agencies scanning client websites on a recurring basis.

  • 10 websites
  • 150 scans/month
  • Weekly Launch monitoring
  • White-labeled PDF reports

Custom

Contactsales

For larger portfolios, heavier scan volume, and priority support.

  • More websites
  • Higher scan volume
  • Priority support
  • Custom onboarding
Contact sales

Launching publicly soon. Join the early access list.

Share what you want to scan and which plan fits you. This helps validate demand before the full paid launch, especially for founders, startups, and agencies.

View sample report
Launch logic

We collect demand first, then open checkout.

The scanner workspace remains available for beta/internal users. Public visitors are pushed to the waitlist so the first 100 leads show real buying interest before Razorpay checkout goes live.