Paste a serverless handler or enter a live function URL. Scores origin allowlist, rate limit, CORS, secret hygiene, SSRF, timeout, stack-trace leak, error shape, bot-protection presence, and double-CDN. Detects Netlify Functions + Edge Functions, Cloudflare Workers, Vercel Edge + Serverless, Next.js Middleware / Route Handlers / RSC, Nuxt 3, Remix, SvelteKit, Astro, Eleventy serverless, Shopify Hydrogen, Qwik City, DigitalOcean Functions, Fly.io, Deno Deploy, AWS Lambda, Render, Railway. Each finding carries an inline severity pill + copy-to-AI fix prompt.
Pair with: Mega Security Analyzer · Header companion · Deep-dive blog
Runs 100% in your browser. Nothing is uploaded. Lints ~25 posture rules across platform-agnostic and platform-specific patterns.
Passively reads response headers: platform fingerprint, CORS config, cache-control, bot-protection presence, double-CDN, retry-after handling.
* + Allow-Credentials:true is a critical misconfigurationconsole.log(process.env.*) leaksfetch() with no scheme / host allowlistAbortSignal.timeout() = hung container $$$err.stack / e.message in the response bodyreadFile / fs.*while(true) without break / budget/admin, /debug, /internal without auth checkMath.random() for tokens / IDscf-ray AND x-nf-request-id / x-vercel-id = cache coherence + IP-trust riskpublic on user-scoped = cross-user cache bleedNot in scope: burst / crafted-Origin / malformed-body probing. Run those from your own test rig against your own endpoint.