How to Check If Your Website Is Hackable (in 60 Seconds)

Your website is live. People are using it. You built it with Cursor or Bolt or Lovable, and it works great.

But here's the thing: an attacker can learn more about your site's security in 30 seconds than you've thought about it in months. They don't need your source code. They don't need access to your repo. Everything they need is already public, in your HTTP headers, your response bodies, and the files your server happily serves to anyone who asks.

The average security score across sites we've scanned is 3.7 out of 10. Most developers have no idea their site is exposed until something goes wrong.

Let's change that. Here's exactly how to check if your website is hackable, and what to do about it.

What attackers actually check first

Before anyone writes an exploit or launches a sophisticated attack, they do reconnaissance. And it's embarrassingly simple. Here's what they look at:

Security headers (or lack thereof)

The first thing any scanner checks is your HTTP response headers. These are instructions your server sends to the browser about how to handle your content. Most vibe coded apps ship with almost none of them.

An attacker looks for:

• No Content Security Policy: means your site is wide open to XSS (cross site scripting). They can inject scripts that steal user sessions, redirect to phishing pages, or mine crypto in your visitors' browsers.
• No X Frame Options: means your site can be embedded in an iframe on a malicious page. Hello, clickjacking.
• No Strict Transport Security: means the browser doesn't enforce HTTPS, opening the door to man in the middle attacks.
• No Permissions Policy: means the browser grants access to camera, microphone, geolocation by default.

If your site is missing all four, congratulations, you've got the same security posture as a 2008 WordPress blog.

Exposed files and paths

Attackers probe for files that shouldn't be publicly accessible:

• /.env: your environment variables, potentially containing database credentials, API keys, and secrets
• /source maps (.js.map): your entire unminified source code, making it trivial to find vulnerabilities
• /.git: your repository metadata, sometimes including the entire commit history
• /robots.txt and /sitemap.xml: not vulnerabilities themselves, but they reveal your app's structure and hidden paths
• /api/: API endpoints that might accept unauthenticated requests

A single exposed .env file is game over. It happens more often than you'd think, especially with AI generated deployment configs.

SSL/TLS configuration

A valid SSL certificate is table stakes, not security. Attackers check the details:

• Is the certificate actually valid and not expired?
• Is TLS 1.2+ enforced, or does the server accept old, broken protocols?
• Are secure cipher suites configured?
• Does the certificate chain validate properly?

Free certs from Let's Encrypt are great. But a cert doesn't mean your TLS configuration is solid.

Cookies and session handling

If your app has authentication, the cookies it sets tell an attacker a lot:

• Missing HttpOnly flag: JavaScript can read the cookie, so any XSS vulnerability instantly becomes a session hijack
• Missing Secure flag: the cookie is sent over HTTP too, making it interceptable
• Missing SameSite attribute: opens the door to cross site request forgery (CSRF)

Three flags. Three lines of config. Almost nobody sets them.

The manual way: what you can check yourself

You don't need a paid tool to start. Here's what you can check right now with a browser and a terminal.

Check your security headers with DevTools

1. Open your site in Chrome or Firefox
2. Open DevTools (F12)
3. Go to the Network tab
4. Reload the page
5. Click on the main document request (the first one)
6. Look at the Response Headers

You should see headers like content-security-policy, x-frame-options, strict-transport-security, and permissions-policy. If those are missing, your site is exposed.

Check for exposed files with curl

Open a terminal and run:

curl -s -o /dev/null -w "%{http_code}" https://yoursite.com/.env
curl -s -o /dev/null -w "%{http_code}" https://yoursite.com/.git/config
curl -s -o /dev/null -w "%{http_code}" https://yoursite.com/wp-config.php

If any of these return 200, you have a serious problem. They should return 403 (forbidden) or 404 (not found).

Check your SSL configuration

curl -vI https://yoursite.com 2>&1 | grep -i "SSL\|TLS\|subject\|expire"

This shows you the TLS version, certificate details, and expiration date. You want to see TLS 1.2 or 1.3. Anything older is a red flag.

Check your cookies

Back in DevTools:

1. Go to the Application tab (Chrome) or Storage tab (Firefox)
2. Click Cookies in the sidebar
3. Look at each cookie's flags

Every authentication cookie should have HttpOnly, Secure, and SameSite set. If they don't, your sessions are vulnerable.

The problem with manual checks

This approach works, but it's slow, incomplete, and easy to mess up. You're checking maybe 10% of what matters. You might miss CORS misconfigurations, subresource integrity issues, server information leaks, or dozens of other signals.

And you still don't have a prioritized list of what to fix first.

The fast way: a 60 second audit with AmIHackable

This is why we built AmIHackable. Instead of running manual checks one by one, you paste your URL and get a full security audit in about 60 seconds.

Here's what a scan checks:

• Security headers: all the critical ones, not just the obvious four
• SSL/TLS configuration: certificate validity, protocol versions, cipher suites
• Exposed sensitive files: .env, .git, source maps, config files
• Cookie security: flags on every cookie your app sets
• CORS configuration: whether your API accepts requests from anywhere
• Server information leakage: whether your server reveals its software and version
• Content security: mixed content, subresource integrity, referrer policy
• HTTPS enforcement: proper redirects and HSTS configuration

You get a letter grade (A through F), a numeric score, and a breakdown of every finding with severity levels.

No code access needed. No agent to install. Just a URL.

What your security score means

After scanning, you get a grade. Here's what it tells you:

• A (8 10): Your site has strong security fundamentals. You're ahead of 90% of sites we scan. Keep monitoring.
• B (6 7.9): Solid baseline, but there are gaps. Usually a few missing headers or cookie flags. Fixable in 15 minutes.
• C (4 5.9): Average. You're in the same boat as most vibe coded apps. Several issues need attention, but nothing catastrophic yet.
• D (2 3.9): Below average. Multiple real vulnerabilities. An attacker could exploit these with basic tools.
• F (0 1.9): Critical. Your site has serious exposures, possibly leaked credentials, wide open APIs, or no security headers at all. Fix this today.

The average score across our scans is 3.7/10: a D grade. If that's you, don't panic. The fixes are straightforward.

What to fix first

Not all findings are equal. Here's the priority order:

1. Exposed secrets (severity: critical), if your .env or API keys are accessible, fix this immediately. Rotate every exposed key.
2. Missing HTTPS enforcement (severity: high), if your site works over HTTP, add a redirect and enable HSTS.
3. Cookie security flags (severity: high), add HttpOnly, Secure, and SameSite=Lax to all auth cookies.
4. Content Security Policy (severity: high), even a basic CSP dramatically reduces XSS risk.
5. Other security headers (severity: medium), X Frame Options, Permissions Policy, Referrer Policy, X Content Type Options.
6. Server information leakage (severity: low), hide your server version. It's not critical, but it gives attackers free intel.

After the scan: fixing issues with AI tools

Here's the part that makes this workflow click for vibe coders. AmIHackable's full report includes fix prompts: ready made instructions you can paste directly into Cursor, Bolt, or whatever AI tool you're using.

Instead of googling "how to add Content Security Policy to Next.js" and wading through Stack Overflow threads from 2019, you get a prompt tailored to your exact finding. Paste it into your AI tool, accept the changes, and you're done.

The typical fix workflow:

1. Scan your site on AmIHackable
2. Copy the fix prompt for your highest severity finding
3. Paste it into your AI coding tool
4. Deploy the change
5. Repeat for the next finding

Most security headers can be added in a single config file. Cookie flags are usually one line in your auth setup. These aren't massive refactors, they're quick wins.

For example, adding security headers in Next.js is a next.config.js change. In Astro, it's middleware. In Express, it's a helmet() call. Your AI tool knows how to do this, it just needs to be told to do it.

Re scan and verify

After deploying your fixes, scan again. This is the step most people skip, and it's the most important one.

Why? Because:

• Your fix might not have deployed correctly
• Your hosting platform might strip certain headers
• Your CDN might cache the old response
• Your AI tool might have implemented the fix slightly wrong

A second scan takes 60 seconds and confirms your fixes actually work in production. We've seen sites go from a D to an A in a single session, sometimes in under 10 minutes.

Make it a habit. Scan before every major deploy. Your security posture isn't a one time thing, it changes every time you ship new code.

Your site is either tested or exposed

There's no middle ground. Every website is being probed by automated scanners constantly. The question isn't whether someone will check your security, it's whether you checked it first.

The good news: for most vibe coded apps, the fixes are simple. Missing headers, exposed files, cookie flags, these aren't deep architectural problems. They're configuration gaps that take minutes to close.

Start with a scan. Fix the top three findings. Re scan. That's it.

Check your site now on AmIHackable: it takes 60 seconds, and you'll know exactly where you stand.

---

Build fast. Ship secure.