HackNope is a security scanning service designed for non-technical founders who build apps with AI coding tools like Cursor, Claude Code, Lovable, and Bolt. We scan your app for vulnerabilities and explain issues in plain English with ready-to-use AI fix prompts.

HackNope is built for indie hackers, solo founders, and non-technical creators who use vibe-coding tools to build production apps. If you've built an app with Lovable, Bolt, Base44, Cursor, or Claude Code and want to make sure it's secure, HackNope is for you.

What does HackNope scan for?

HackNope performs external scans checking security headers, TLS configuration, exposed endpoints, common misconfigurations, and known vulnerabilities. Internal scans (available on Fortress tier) also check authenticated endpoints, GitHub repos, and database configurations.

How much does HackNope cost?

HackNope offers three tiers: Scout (free, 3 scans/month), Guardian ($19/month, 100 scans with weekly monitoring), and Fortress ($49/month + usage, 300 scans with daily monitoring and internal scans).

What are AI fix prompts?

AI fix prompts are ready-to-use instructions that you can copy and paste into your AI coding assistant (like Cursor or Claude Code) to automatically fix security vulnerabilities. No security expertise required.

Is my app data safe with HackNope?

Yes. HackNope only performs external scans on publicly accessible endpoints by default. We never store your source code, and all scan data is encrypted. Internal scans require explicit authorization and are performed in isolated environments.

Security Headers Explained: A Non-Technical Guide

What Are Security Headers?

Think of security headers like the locks and alarms on your house. Your app sends these headers with every page load, telling browsers how to behave securely.

Without them, you're leaving doors unlocked.

The Essential Security Headers

1. Content-Security-Policy (CSP)

**What it does:** Prevents attackers from injecting malicious scripts into your page.

**Without it:** Hackers can run JavaScript on your site, steal user data, or redirect users to phishing pages.

**In plain English:** "Only trust scripts from these specific sources."

2. Strict-Transport-Security (HSTS)

**What it does:** Forces browsers to always use HTTPS, never HTTP.

**Without it:** Attackers on public WiFi can intercept unencrypted traffic and steal data.

**In plain English:** "Always use the secure connection, no exceptions."

3. X-Frame-Options

**What it does:** Prevents your site from being embedded in malicious iframes.

**Without it:** Attackers can overlay invisible buttons over your site to trick users into clicking things.

**In plain English:** "Don't let other sites put my page inside theirs."

4. X-Content-Type-Options

**What it does:** Prevents browsers from guessing file types incorrectly.

**Without it:** A file that looks like an image could be executed as code.

**In plain English:** "Trust the file type I tell you, don't guess."

5. Referrer-Policy

**What it does:** Controls how much information is shared when users click links.

**Without it:** Sensitive URLs (like password reset tokens) might leak to other sites.

**In plain English:** "Be careful what you tell other sites about where users came from."

How to Check Your Headers

The easiest way is to use a security scanner like HackNope. We check all these headers and explain exactly what's missing in plain English.

You can also use browser developer tools:

1. Open your site

2. Press F12 to open DevTools

3. Go to the Network tab

4. Refresh the page

5. Click on the main document

6. Look at the Response Headers section

How to Fix Missing Headers

If you're using a vibe-coding tool, you'll need to configure headers at the hosting level. Here's where to look:

**Vercel:** vercel.json or next.config.js

**Netlify:** netlify.toml or _headers file

**Cloudflare Pages:** _headers file

**Need help fixing yours?** HackNope provides copy-paste AI prompts that tell your coding assistant exactly how to add the missing headers.

[Check your security headers now →](/)