What it checks:
Exposed API keys, tokens, JWT handling issues
CORS misconfigurations and overly permissive cross-origin trust
missing/weak security headers (CSP, HSTS, etc.)
cookie security posture
sensitive data leaking via local/session storage
query/URL leaks and client-side state exposure
source maps and build artifacts left exposed
endpoint patterns from observed traffic
