I Built a Web Vulnerability Scanner in 7 Weeks. Here's What I Learned

I Built a Web Vulnerability Scanner in 7 Weeks. Here's What I Learned.

I work in information security. I've spent years analysing threats, poking at web applications, and watching the same preventable security issues show up over and over again.

A few months ago I started looking at websites built by developers using AI coding tools. Cursor, Copilot, Windsurf. The apps were impressive, genuinely functional, sometimes beautiful. But almost all of them had the same security gaps: missing headers, wide-open CORS policies, exposed secrets in page source, cookies without basic flags.

These developers weren't careless. They just didn't know. The tools they were using to build quickly don't add security configuration by default, and the existing security scanners are either too expensive, too complex, or give you a pass/fail with no explanation.

I decided to build something better.

What Hexora does

The idea is simple. Paste a URL, get a security report in under 15 seconds. No account required for a quick scan, no credit card, no sales call.

Hexora runs 7 scanners against your site: SSL/TLS, security headers, CORS configuration, cookie security, DNS and email security, exposed secrets, and technology fingerprinting with CVE lookup. Every finding comes with evidence showing exactly what's wrong, a severity score, remediation steps, and an AI fix prompt you can paste into your coding agent.

That last part matters. If you're building with Cursor or Claude, you can copy the fix prompt, paste it in, and ship the patch in your next commit. No context switching, no Googling, no guessing whether the fix actually addresses the issue.

The 7-week timeline

I've started and abandoned more side projects than I can count. This is the first one I've actually shipped. Here's roughly how those 7 weeks broke down.

Weeks 1-2 were the scanner engine and API. This was the fastest part of the entire build because it's my actual domain. I know what to check, I know what a bad configuration looks like, and I know what the fix should be. Writing the scanning logic felt natural in a way that nothing else in the project did.

Weeks 3-4 were the frontend dashboard and deployment. I built the UI in Next.js with Tailwind and shadcn/ui. Getting the scan flow right took iteration: paste a URL, show progress, display results in a way that's useful without being overwhelming. Deployment was its own adventure. Docker Compose on a VPS, Caddy as a reverse proxy, Cloudflare for SSL and DNS, Vercel for the frontend. Every layer had edge cases I didn't anticipate.

Week 5 was billing and security. Stripe integration took longer than I expected. Not because the API is difficult, but because handling every state correctly (subscription created, updated, cancelled, expired, payment failed) requires more thought than the documentation suggests. I also built email verification, SSRF protection on the scanner, and an admin panel.

Week 6 was polish. Animations, responsive design, domain verification flow, result gating for the free tier, password requirements, scan limits. The gap between "it works" and "it's ready for users" is enormous. This week felt like it would never end.

Week 7 was MFA, Google OAuth, security headers on the app itself (practice what you preach), and final bug fixes. Then I called it done, knowing it wasn't perfect, knowing the roadmap is long, and knowing that shipping is better than polishing forever.

What surprised me

The thing that genuinely caught me off guard was how fast an idea can become a real, working product. I've been in IT for years and I've never shipped a side project. I've started plenty, lost momentum, and moved on. This time, something clicked. The scope was clear, the problem was real, and I had enough domain knowledge in security to make the core of the product solid without getting stuck.

Seven weeks from "I should build this" to "real people can use this" is still hard to believe.

What the product doesn't do (yet)

I want to be upfront about where Hexora is today. It runs passive scans. It checks what your site exposes to any visitor: headers, certificates, cookies, DNS records, page source. It doesn't inject payloads, it doesn't crawl authenticated pages, and it doesn't replace a professional penetration test.

Active scanners (XSS, SQL injection testing) are next on the roadmap, along with PDF report export, scheduled recurring scans, and CI/CD integration. But the passive checks alone catch the majority of issues I see in the wild, and they're the easiest to fix.

What I'd tell someone starting a similar project

Build in your area of expertise first. The scanner engine took a fraction of the time everything else did because I wasn't learning as I went. If you have domain knowledge in something, that's your unfair advantage. Use it.

Stripe is harder than it looks. Not the initial integration, but handling every edge case: what happens when a subscription is cancelled mid-cycle, what happens when a payment fails, what happens when someone upgrades then downgrades. Budget more time than you think.

Ship before you're comfortable. Hexora has a long roadmap. I could have spent another month adding features. But every week I delayed was a week without real user feedback, and real user feedback is worth more than any feature I could build in isolation.

The boring work takes the longest. Security headers, error handling, mobile responsiveness, email deliverability, DNS configuration. None of it is exciting. All of it is necessary. I'd estimate 60% of the total build time went into things no user will ever notice, but would definitely notice if they were missing.

Try it

Hexora is live at hexora.uk. Free tier gives you 3 scans a month. Paste a URL and see what it finds.

If you're a developer shipping fast, it's worth spending 15 seconds to check what your site is exposing. And if you find issues, every finding has a fix prompt ready to go.

I'd love to hear what you think.