Security Scanner for WeWeb Apps
WeWeb is a frontend builder: every app it produces talks to a backend like Supabase, Xano, or a custom REST API. That architecture puts the real attack surface in the connection · tokens shipped to the browser, backend endpoints that trust the frontend, and RLS that was never enabled. SimplyScan tests the deployed result end to end.
Top Vulnerabilities in WeWeb Apps
- Backend Credentials in the Browser · API keys and tokens configured in WeWeb data sources are shipped to every visitor unless the request is proxied through a secured backend.
- Missing RLS on Connected Supabase · WeWeb frontends commonly pair with Supabase · and inherit every missing or permissive RLS policy, exposing tables through the anon key.
- Backend Endpoints That Trust the Frontend · Xano or REST endpoints that rely on the WeWeb UI for access control can be called directly with any HTTP client, bypassing the UI entirely.
- Sensitive Fields in Collection Responses · Collections often fetch full records; fields your pages never display still arrive in the browser's network tab.
- Missing Security Headers · WeWeb-hosted apps typically lack Content-Security-Policy and related headers unless configured at the hosting layer.
How SimplyScan Helps
- 51+ automated security and speed checks
- GitHub repository scanning for source-level issues
- Actionable fix guidance with severity ratings
- Downloadable PDF reports
Keep Reading
Scan Other Platforms
Scan your WeWeb app free →