Hey,

I'm an infosec professional and I've spent the last 7 weeks building Hexora, a web vulnerability scanner designed for developers who ship fast.

The problem I kept seeing: developers using Cursor, Copilot, and similar tools are shipping functional code with real security gaps. Missing security headers, CORS misconfigurations, exposed secrets in page source, weak cookie settings. These aren't exotic attacks. They're basic misconfigurations that take minutes to fix once you know about them.

Hexora lets you paste a URL and get a full security report in under 15 seconds. It runs 7 scanners (SSL/TLS, security headers, CORS, cookies, DNS/email, exposed secrets, technology fingerprinting) and every finding comes with evidence showing exactly what's wrong, plus an AI fix prompt you can paste into Claude or Cursor to generate the fix.

The free tier gives you 3 scans per month with severity counts and one full finding. Paid plans start at £15/month for more domains and full reports.

It's live at hexora.uk. I'd genuinely appreciate feedback from this community, especially on what scanners or checks you'd want to see added next.

A few things to note:

It currently runs passive scans only (no active exploitation). Active scanners like XSS and SQL injection testing are on the roadmap.

I built every scanner myself from real-world penetration testing experience. This isn't a wrapper around a third-party API.

I also wrote a blog post on the 7 security headers most web apps are missing, if that's useful: hexora.uk/blog/7-security-headers-your-web-app-is-probably-missing

Happy to answer any questions about the tool, the tech stack, or the security checks themselves.