# Vibe Check Scan Vibe Check Scan is a free, passive web security scanner that analyzes HTTP headers, TLS/SSL configuration, CORS policy, and API surface exposure for any public URL, returning an A-F security scorecard with per-module breakdowns. It performs only safe, read-only HTTP requests (GET, HEAD, OPTIONS). No fuzzing, no active probing, and no credential testing. No authentication required. All endpoints are public and rate-limited. ## Scanning workflow Scanning is asynchronous. Prefer this 2-step flow: 1. POST https://vibecheckscan.com/api/scan/start Body: { "url": "https://example.com" } Returns: { "scanId": "", "queued": false } 2. GET https://vibecheckscan.com/api/scan/status?id=&format=agent Poll every 2-3 seconds. Returns top-level status plus per-module status objects. Stop when top-level status becomes completed or error. Terminal responses include result.text and result.markdown for direct chat delivery. Optional: - GET https://vibecheckscan.com/api/scan/result?id= for full JSON - GET https://vibecheckscan.com/api/scan/result?id=&format=summary for condensed JSON - GET https://vibecheckscan.com/api/scan/result?id=&format=agent for JSON with text + markdown - GET https://vibecheckscan.com/api/scan/result?id=&format=text for plain text - GET https://vibecheckscan.com/api/scan/result?id=&format=markdown for Markdown ## Rate limits - 5 scans per IP per minute (POST /api/scan/start and POST /api/cve-2025-55182/check) - 100 requests per IP per minute (all other routes) - 429 responses include Retry-After header (seconds to wait) and code: "rate_limit_exceeded" ## Error responses All error responses include: - error: string (human-readable message) - code: string (machine-readable error code) - request_id: string (16-char hex, for support/debugging) Common error codes: - missing_url - no URL provided - invalid_url - URL failed validation (format, TLD, SSRF check, or unreachable) - rate_limit_exceeded - too many requests from this IP - scan_not_found - scanId not found (expired after 24h, invalid, or poll reached a different stateless instance) - invalid_scan_id - scanId format is invalid ## Result shape Completed scans return an overall A–F grade and a score for each of four modules: - headers (35% of grade) — security header presence - tls (30%) — protocol version, certificate validity, cipher strength - cors (20%) — origin policy, credentials handling - apiSurface (15%) — sensitive file exposure, unprotected API endpoints, source maps The apiSurface module produces structured APISurfaceFinding objects (not plain strings). Each finding has a category: - confirmedExposure: path returned readable content that should be restricted — costs points - protectedSurface: path exists but access is correctly blocked (401/403) — no penalty, informational - expectedPublicEndpoint: health/discovery/metadata path, intentionally public — no penalty - hardeningOpportunity: not exposed but could be hardened — informational only For full finding interpretation and remediation guidance: GET https://vibecheckscan.com/api/agent/interpret ## Machine-readable contracts - GET https://vibecheckscan.com/api/agent/capabilities - capability registry with JSON schemas - GET https://vibecheckscan.com/api/openapi.json - full OpenAPI 3.1 specification - GET https://vibecheckscan.com/api/agent/card - agent card with workflow and rate limit details - GET https://vibecheckscan.com/api/agent/skill - optional skill file for agent runtimes ## Additional scanner POST https://vibecheckscan.com/api/cve-2025-55182/check Body: { "url": "https://example.com" } Checks for React Server Component vulnerabilities: - CVE-2025-55182 (RCE via malformed RSC payloads) - CVE-2025-55183 (source code exposure) - CVE-2025-55184 (DoS via resource exhaustion) ## Manual use Users who prefer not to use an agent can scan directly at https://vibecheckscan.com