Open source · Free tier available

Security for
web projects

Privacy-first scanning that runs locally. Plain-language findings with AI-generated fix prompts. Your code never leaves your machine.

Get Started FreeView on GitHub
ConfigSecretsHeadersSSLCORSDepsCodeAuthRate Limit
100/100
Security Score
Terminal — bastion scan
$ npx bastion-scan scan
 
Bastion Security Scanner v0.1.0
Scanning /home/user/notchwise-app...
Stack detected: Next.js + Supabase + Clerk
 
✓ .gitignore — sensitive patterns excluded
✓ No hardcoded secrets found
⚠ npm audit — 2 moderate vulnerabilities
✓ .env.example — safe placeholders
✕ Missing Content-Security-Policy header
✕ Missing Strict-Transport-Security header
✓ CORS — restrictive policy detected
✓ Rate limiting — express-rate-limit
✓ Auth provider — Clerk
 
Score: 78/100 ●●●●●●●●○○
9 passed · 2 failed · 1 warning
100% Open SourceZero Data Uploaded800+ TestsMIT LicenseSelf-scan: 100/100

You ship fast.
But is your code secure?

AI tools help you build in hours, not months. But they routinely ship hardcoded secrets, missing headers, and injection vectors. Enterprise scanners cost £300+/mo. Nobody teaches the basics.

80%

of cyber incidents target web apps

Verizon DBIR 2024

43%

of attacks target small businesses

Accenture Cybersecurity Report

$4.88M

average cost of a data breach

IBM Cost of a Data Breach 2024

62%

cite cost as a barrier to security testing

Ponemon Institute 2023

40%

more vulnerabilities in AI-generated code

Stanford University 2023

197

days — average time to detect a breach

IBM Cost of a Data Breach 2024

Three steps to ship secure

No accounts. No configuration. No cloud dependency.

1

Install

One command. Nothing to configure. Works with any Node.js project.

npx bastion-scan scan
2

Scan

12 checks run in seconds — secrets, headers, SSL, CORS, dependencies, code patterns.

Score: 78/100
3

Fix

AI-generated prompts tailored to your exact stack. Paste into Claude or ChatGPT.

All checks passing

What we check

12 automated checks covering the most common security gaps in web applications.

bastion scan — configuration
Checking configuration...
✓ .gitignore — 14 patterns, sensitive files excluded
⚠ .env.example missing
Collaborators won't know which variables are required
Scanning for secrets...
✕ Hardcoded OpenAI API key detected
src/lib/openai.ts:8
const key = "sk-proj-aBcD..."
✓ No AWS credentials found
Checking security headers...
✕ Missing Content-Security-Policy
✕ Missing Strict-Transport-Security
✓ X-Frame-Options: DENY
✓ X-Content-Type-Options: nosniff
Checking transport security...
✓ SSL certificate valid — expires 2027-03-15
✓ TLS 1.3 supported
✓ HTTPS redirect active
Analyzing code patterns...
✕ SQL string concatenation detected
src/api/users.ts:23
db.query(`SELECT * FROM users WHERE id = ${id}`)
✓ No eval() usage found
Running npm audit...
⚠ vite@5.0.0 — Path Traversal (moderate)
CVE-2024-23331 · fix: upgrade to >=5.0.5
⚠ postcss@8.4.0 — Line Return Parsing (moderate)
✓ No critical vulnerabilities
Checking CORS policy...
✕ cors() called with no configuration
src/app.ts:12 — defaults to Access-Control-Allow-Origin: *
✕ Credentials exposed with wildcard origin
Checking rate limiting...
⚠ No rate limiting middleware detected
API routes at /api/* are unprotected
Recommend: express-rate-limit or @upstash/ratelimit
Checking authentication...
⚠ No authentication provider detected
No Clerk, Auth0, NextAuth, or Supabase Auth found
API routes may be publicly accessible

Configuration

Validates .gitignore patterns and .env file setup to prevent accidental secret exposure.

  • .gitignore coverage
  • .env.example validation
  • Sensitive file detection

Suggested fix

Create a .env.example file listing every required environment variable with placeholder values.

Real results

Three projects we built or maintain — each one hardened with Bastion's own recommendations.

ParkMoto

47/10047/100

London motorbike parking finder. Patched all 8 findings in one Cursor session.

Lovable-Eject

0/1000/100

Open-source toolkit for migrating off Lovable. From zero to 78 after one scan and a weekend of fixes.

Bastion

55/10055/100

We scan ourselves. Two upstream postcss advisories showed up within a day of publication.

We scanned 15 indie web projects during May 2026. Median score: 45 out of 100. Not one had a Content-Security-Policy. One in fifteen had a published security disclosure policy. SSL comes free with your hosting provider — everything else is on you.

Simple, fair pricing

Start free. Upgrade when you need more.

Save 17%

Free

Free
Current Plan

What you get:

  • OWASP education
  • Security checklist
  • Tool recommendations
  • 1 URL scan per day
  • Community support

Pro

£19

per month

30-day refund policy

What you get:

  • Everything in Free, plus:
  • All 15 security checks
  • Unlimited URL scans
  • AI fix prompts
  • Config generators
  • Security badge
  • Email support

Team

£49

per month

30-day refund policy

What you get:

  • Everything in Pro, plus:
  • PDF compliance reports
  • Historical score trackingSoon
  • GitHub Action for all repos
  • Priority support

All plans include a 14-day free trial. Cancel anytime. Payments processed by Lemon Squeezy.

Your code never leaves your machine

Inspect every line. The Bastion CLI is free, open source, and runs entirely on your machine. No telemetry. No uploads. No cloud dependency.

npm provenance800+ testsMIT LicenseSelf-scan: 100/100
View on GitHub