Free vs Pro Scan: What's the Difference?
SimplyScan offers a free 3-category scan and a Pro 13-category scan. Here's exactly what each one checks and which one you need.
By Daniel A · Kraftwire Software
· 8 min readWhat SimplyScan Checks For Free
SimplyScan offers two scan tiers: a free scan and a Pro scan. This guide explains exactly what each tier covers, what you get in the results, and when upgrading to Pro makes sense for your project.
Free Scan: 3 Core Categories
The free scan runs automatically when you enter your URL. It checks three categories that cover the most common and most dangerous vulnerabilities in AI-built applications.
**1. Secrets Detection**
The free scan looks for API keys, tokens, and credentials exposed in your frontend code. This includes:
AI service keys (OpenAI, Anthropic, Google AI) embedded in JavaScript bundles
Payment processing keys (Stripe secret key, PayPal credentials)
Database connection strings (Supabase service role key, MongoDB URIs, PostgreSQL connection strings)
Email service keys (SendGrid, Mailgun, Postmark)
Cloud provider keys (AWS access keys, Google Cloud service accounts)
This is the highest-impact check because a single exposed secret can result in immediate financial loss or complete data compromise. The free scan catches the most common exposure patterns.
**2. Frontend Security**
The free scan checks your frontend for client-side security issues:
Missing or weak Content-Security-Policy headers
Missing Strict-Transport-Security (HSTS) headers
Missing X-Frame-Options headers (clickjacking protection)
Missing X-Content-Type-Options headers
Missing Referrer-Policy headers
Insecure cookie configurations (missing HttpOnly, Secure, or SameSite attributes)
Mixed content warnings (HTTP resources loaded on HTTPS pages)
These checks verify that your deployed application has the basic security headers that prevent common browser-based attacks.
**3. Supabase Security**
If your application uses Supabase, the free scan checks for common Supabase misconfigurations:
Exposed service role key in client-side code
Missing Row-Level Security (RLS) on tables accessible from the frontend
Insecure Supabase auth configuration
Public access to tables that should be private
Supabase is the most popular backend for AI-built applications, so these checks catch a large percentage of backend security issues.
What the Free Scan Report Includes
A security score from 0 to 100
Full details on every finding, including severity, description, and location
Specific, actionable recommendations for fixing each issue
Category breakdown showing which areas passed and which need attention
The free scan does not hide findings behind a paywall. If it detects a critical vulnerability, you see the complete details and remediation steps.
Pro Scan: Full Coverage
The Pro scan expands from 3 categories to 14, with 51+ individual security checks. It provides comprehensive coverage of your application's attack surface.
What Pro Adds
**4. Authentication Analysis**
Checks your login and signup flows for:
Brute force protection (rate limiting on login attempts)
Password policy enforcement
Session management security (token expiry, refresh logic)
Account enumeration vulnerabilities (different error messages for valid vs invalid emails)
Multi-factor authentication availability for sensitive applications
**5. Authorization Checks**
Verifies that your application enforces proper access control:
Users cannot access other users' data by modifying request parameters
Admin endpoints require proper role verification
API endpoints validate resource ownership on every request
Data queries are scoped to the authenticated user
**6. Injection Detection**
Scans for code patterns vulnerable to injection attacks:
SQL injection through string concatenation in database queries
XSS vulnerabilities through unsanitized user content rendering
eval() and Function() usage with user input
Command injection in server-side code
NoSQL injection in MongoDB queries
**7. CSRF Protection**
Checks for Cross-Site Request Forgery protections:
CSRF token implementation on state-changing forms
SameSite cookie attribute configuration
Custom header requirements on API requests
Origin and Referrer validation
**8. Performance Security**
Identifies performance issues that create security vulnerabilities:
Blocking I/O operations that enable application-level DoS
N+1 query patterns that exhaust database connections
Unbounded queries that return unlimited data
Missing request timeouts on external API calls
**9. Dependency Analysis**
Checks your npm packages for known vulnerabilities:
High and critical CVEs in direct dependencies
Vulnerable transitive dependencies
Deprecated packages with no security support
Outdated packages missing security patches
**10. Infrastructure Security**
Checks your deployment configuration:
HTTPS enforcement and certificate validity
DNS configuration security
CDN and hosting platform security settings
Network exposure and attack surface
**11. AI Security**
Checks for AI-specific vulnerabilities:
Exposed AI API keys (OpenAI, Anthropic, Google)
Prompt injection vulnerability patterns
Unprotected AI endpoints without authentication or rate limiting
Missing token and cost limits on AI API calls
**12. Architecture Analysis**
Checks for structural security issues:
Client-side security reliance (hiding UI elements instead of enforcing server-side access control)
Exposed database connection strings
Missing rate limiting on sensitive endpoints
Insecure error handling that leaks implementation details
**13. Storage Security**
Checks file handling and storage:
Unrestricted file upload types and sizes
Public storage buckets containing private data
Missing access control on file downloads
Insecure file serving configurations
**14. API Security**
Checks your API endpoints:
Missing authentication on protected endpoints
Insecure CORS configurations
Missing input validation
Rate limiting coverage
Response data exposure (returning more fields than necessary)
What the Pro Report Includes
Everything in the free report, plus:
Complete findings across all 14 categories
Deeper analysis with more specific recommendations
Downloadable PDF report for documentation and compliance
Priority-ranked action items across all categories
When to Upgrade to Pro
The Free Scan Is Enough When:
You are in early development and want a quick health check
You primarily need to check for exposed secrets (the most critical category)
Your application does not handle sensitive user data yet
You want to verify basic security headers are configured
Upgrade to Pro When:
Your application handles user data (accounts, personal information, payments)
You are preparing to launch or share your app publicly
You need comprehensive security coverage for compliance or client requirements
You want to check authorization, injection, and CSRF protections
Your app includes AI features that need prompt injection and cost abuse checks
You want a downloadable report for your records or to share with stakeholders
Side-by-Side Comparison
| Feature | Free | Pro |
|---------|------|-----|
| Categories checked | 3 | 14 |
| Individual checks | ~15 | 51+ |
| Secrets detection | Yes | Yes (deeper) |
| Frontend security | Yes | Yes (deeper) |
| Supabase checks | Yes | Yes (deeper) |
| Auth analysis | No | Yes |
| Authorization | No | Yes |
| Injection detection | No | Yes |
| CSRF protection | No | Yes |
| Performance security | No | Yes |
| Dependency audit | No | Yes |
| AI security | No | Yes |
| Architecture review | No | Yes |
| API security | No | Yes |
| PDF report | No | Yes |
| Rescan capability | No | Yes |
How Scanning Works
Both free and Pro scans analyze your deployed application from the outside, just like an attacker would see it. SimplyScan:
Loads your application URL in a secure browser environment
Analyzes the JavaScript bundles, network requests, and HTML for security issues
Checks HTTP response headers for security configurations
Tests for common vulnerability patterns specific to AI-generated code
Generates a report with findings, severity levels, and fix recommendations
The entire scan takes about 30 seconds. No code access or repository connection is required for URL scans.
Start with Free, Upgrade When Ready
The free scan catches the most critical issues. Start there. If it finds problems, fix them and rescan. When you are ready for comprehensive coverage, upgrade to Pro.
[Run your free scan now](/)
Related Guides
[How to Read Your SimplyScan Report](/blog/how-to-read-scan-report)
[Security Audit Checklist](/blog/security-audit-checklist)
[Is Vibe Coding Safe?](/blog/is-vibe-coding-safe)
[SimplyScan vs Penetration Testing](/blog/simplyscan-vs-penetration-testing)