Verified-domain scanning
Users prove ownership with DNS TXT or a well-known file before any scan starts.
Hack My Website is an automated security scanner designed specifically for websites built with AI coding tools like Cursor, Lovable, Bolt, and v0. It runs comprehensive technical audits (using OWASP ZAP, Nuclei, and Semgrep) to identify exposed credentials, insecure endpoints, and weak session settings, delivering prioritized remediation prompts directly to founders and developers.
The platform is designed around the real flow: prove the domain is yours, scan it safely, then hand the report to the person who can actually fix the issue.
Users prove ownership with DNS TXT or a well-known file before any scan starts.
ZAP, Nuclei, and Semgrep collect technical evidence instead of producing a vague score.
Gemini turns findings into plain-English risk, priority, and remediation guidance.
Product-specific checks catch exposed source maps, public secrets, weak cookie/session settings, and risky admin routes.
Website limits, monthly scans, and PDF access now follow the product pricing model.
Run secure, ephemeral SAST/DAST audits on your repository branches for keys, tokens, and package.json risks.
Stress-test REST routes using OpenAPI/Postman collection imports, and check for exposed GraphQL schema files.
Brand security reports with your own logo and colors, with mapping templates for SOC 2, ISO, HIPAA, and DPDP.
Hack My Website now includes a premium scan mode for apps built with Cursor, Lovable, Bolt, Replit, Claude Code, v0, and other AI coding tools. It combines scanner evidence with app context to produce a launch-readiness score founders can understand and developers can act on. Scoring Methodology
Hack My Website does not stop at scanner output. It names the issue class, shows affected targets, and translates the risk into a fix order a founder or agency can act on.
That includes AI-built website issues like exposed source maps, leaked public config, missing security headers, weak cookie settings, and suspicious admin surfaces that often ship with fast-built apps.
Add the exact website origin you own. Localhost, private IPs, and unsafe targets are rejected.
Use DNS TXT or a well-known file. If behind a firewall, copy-paste our zero-friction Cloudflare/AWS WAF whitelist rule for scanner IP 168.144.94.35.
ZAP, Nuclei, Semgrep, and Gemini produce a prioritized scan report.
Find quick answers to common questions about our security scans and remediation features.
Hack My Website is an automated security scanner that audits your web application for vulnerabilities like SQL injection, XSS, exposed secrets, and misconfigured headers. It produces a plain-English PDF brief detailing prioritize fixes.
Unlike traditional scanners that just report errors, Hack My Website translates technical vulnerabilities into exact copy-paste prompts. You can feed these directly back into AI editors like Cursor, Claude Code, Lovable, or Bolt to refactor and patch the code automatically.
Starter is ₹1,999/mo (1 website, 3 scans/mo, manual AI Launch Score), Pro is ₹2,999/mo (3 websites, 30 scans/mo, weekly monitoring), and Agency is ₹4,999/mo (10 websites, 150 scans/mo, white-labeled PDFs). Custom plan rates are tailored for larger portfolios.
Yes. To guarantee safety and prevent unauthorized testing, every user must verify ownership of their target domain using a DNS TXT record or by uploading a specific validation file to their root path before a scan is permitted.
Paid-only beta pricing keeps the launch signal clean. Read about our Scoring Methodology to see how scores are calculated, and explore the output via the sample report before joining the waitlist.
For founders who want one website checked with a real PDF report.
For builders and small teams shipping multiple surfaces.
For agencies scanning client websites on a recurring basis.
For larger portfolios, heavier scan volume, and priority support.
Share what you want to scan and which plan fits you. This helps validate demand before the full paid launch, especially for founders, startups, and agencies.
The scanner workspace remains available for beta/internal users. Public visitors are pushed to the waitlist so the first 100 leads show real buying interest before Razorpay checkout goes live.