AmIHackable vs Claude Code + Playwright

This comparison is a bit different. Claude Code isn't a product you sign up for. It's a workflow: you point Claude at your codebase, connect Playwright via MCP, and let it crawl and audit your app.

I actually use this setup myself. It's powerful. And it catches things AmIHackable never could. But the reverse is also true.

White-box vs black-box, simply explained

Claude Code + Playwright = white-box audit. It reads your source code. It understands your auth logic, your database queries, your API routes. It can spot a SQL injection in your code before it ever reaches production.

AmIHackable = black-box audit. It only knows your URL. It tests what the world can see: your headers, your exposed files, your DNS config, your SSL setup. It thinks like an attacker who just found your site.

These are fundamentally different perspectives on the same question: "Is my app secure?"

What each approach catches

| What's tested | Claude Code + Playwright | AmIHackable | |---|---|---| | Source code logic flaws | Yes | No | | SQL injection in code | Yes | No | | Auth implementation bugs | Yes | No | | Dependency vulnerabilities | Yes | No | | Exposed files (.env, .git) | No | Yes | | SSL/TLS configuration | No | Yes | | DNS and email auth (SPF/DMARC) | No | Yes | | Server header security | No | Yes | | Cookie security flags | No | Yes | | CORS misconfiguration | Partial | Yes | | Supabase/Firebase permissions | Partial (needs creds) | Yes | | Open ports and services | No | Yes | | Needs source code access | Yes | No | | Needs deployment | No | Yes (tests live site) | | AI fix prompts | Built-in (it's Claude) | Yes |

The gap that matters

Here's the thing most developers miss: your code can be perfect, but your config can still expose your .env.

You could write flawless auth logic, validate every input, sanitize every query. Claude reviews it and gives you a thumbs up. Then you deploy, and your .env file is publicly accessible because of a misconfigured .dockerignore or a hosting platform default. Or your SSL cert is misconfigured. Or your CORS policy allows any origin.

Claude can't see that. It doesn't have access to your live infrastructure. It reads code, not servers.

The reverse is also true. AmIHackable can tell you your headers are perfect and no secrets are exposed. But it can't read your source code. If there's a logic flaw in your auth that requires specific input sequences to trigger, AmIHackable won't find it.

When to use Claude Code + Playwright

Use this approach during development, before you deploy:

• Review auth flows and access control logic
• Find SQL injection, XSS, and other code-level vulnerabilities
• Audit dependency versions for known CVEs
• Test complex user flows that require understanding the code

This is especially valuable if you're using vibe coding tools. Claude can audit the code that Bolt, Cursor, or Lovable generated for you.

When to use AmIHackable

Use AmIHackable after you deploy, to verify what's actually exposed:

• Check if any config files or secrets leaked in production
• Verify your SSL, headers, and cookie setup
• Test email authentication (SPF/DMARC/DKIM)
• Scan Supabase or Firebase for overly permissive rules
• Get a quick external perspective on your security posture

If your site is live and people are using it, this is the check that tells you whether an attacker would find anything interesting.

The honest recommendation

Use both.

Claude Code + Playwright before you ship. AmIHackable after you ship. They cover completely different angles, and together they give you something close to a real security review.

Already deployed? Scan your live site now and see what's exposed.