Security score · higher is better
Fix before launch
We found issues to fix before you send real traffic.
- Domain
- Your App
- Scanned
- May 20, 2026
- Scan type
- External scan · no login
14 launch security areas checked
Findings
99 is the highest score for this external scan.
Fix before launch. Fix must-fix items first, then re-scan after deploying changes.
Security score breakdown
12 areasEvery public-surface area this scan graded. “Pass” means nothing was flagged there — not a full security review.
Exposed files & secrets
PassNo exposed .env, .git, or known secret files detected
Frontend JS secrets
PassNo private secrets detected in scanned frontend assets
Supabase exposure
PassNo obvious public Supabase table exposure detected
Public API data exposure
Fail1 issue to fix before launch — see findings below
CORS
PassNo dangerous CORS behavior detected
Cookies & sessions
PassNo insecure session cookies observed
Error & debug leakage
PassNo stack traces or debug errors detected
Security headers
Warn1 issue to review — see findings below
Open ports & infrastructure
PassNo unexpected public ports detected on the common fixed list
HTTPS / TLS
PassNo insecure transport or mixed-content issues detected
Route exposure
PassNo obviously exposed admin or sensitive routes detected
Source maps
Not testedNot reached — the scan budget was hit before source maps were checked. Re-run to test this area.
Some areas could not be tested during this scan. This can happen if the site blocked requests, timed out, or the scan budget was reached. Re-run the scan to try again.
Must fix before launch (1)
Critical and high-severity issues. Fix these before sending traffic.
Public API returns user or business data
API exposurehttps://yourapp.vercel.app/api/profilesHigh/api/profiles returned JSON containing personal fields without authentication. If this isn't meant to be public, require a login first.
Show details
Public API returns user or business data
Evidence
- status
- 200
- sensitive fields
- email, name, user_id
Why it matters
Public API routes that return user, customer, or admin data without a login let anyone read information meant to be private.
Recommendation
Require authentication and authorization before returning this data, and confirm anonymous requests receive 401 or 403.
Paste this into Claude Code, Cursor, or your AI coding tool
Review this public API route. Confirm whether it should be accessible without authentication. If it returns user, customer, case, payment, or admin data, require authentication and authorization before returning the response. Add tests that unauthenticated requests receive 401 or 403.
Should fix (1)
Medium-severity issues worth resolving before a wider launch.
Missing Content-Security-Policy
Security headersMediumA Content-Security-Policy helps prevent cross-site scripting and content injection. It wasn't set.
Show details
Missing Content-Security-Policy
Why it matters
Security headers are the browser-level guardrails that block common attacks like cross-site scripting and clickjacking.
Recommendation
Add a Content-Security-Policy header. Start in report-only mode, then enforce once nothing legitimate is blocked.
Paste this into Claude Code, Cursor, or your AI coding tool
Add a Content-Security-Policy to my app. Propose a sensible starting policy for my framework, explain how to test it in report-only mode first, then enforce it.
Nice to have / hardening (1)
Low-severity and informational items — not launch blockers.
Supabase detected — no public table exposure found
No obvious public Supabase table exposure detected from this unauthenticated scan. Supabase public anon key detected. This is normal for frontend apps, but sensitive tables must be protected by RLS.
Recommendation: Keep sensitive tables protected with Row Level Security so unauthenticated requests using the public anon key cannot read private rows. This scan only checked a short list of common table names.
Your Claude Code fix plan
Prioritized prompts you can paste into Claude Code or Cursor, top to bottom.
Phase 2 — High priority
1. Public API returns user or business data
Phase 3 — Medium & low
1. Missing Content-Security-Policy
Phase 4 — Retest checklist
After fixing, re-run the scan and confirm your score dropped. The full checklist is included in the copied plan.
Scan limits
This was an unauthenticated external scan. It did not log in, submit forms, inspect private source code, or run dependency/CVE analysis.
Launch checklist
Use this checklist before sending users, ad traffic, or demo traffic to the app. It summarizes the security scan and flags readiness areas this external scan doesn't cover yet.
Security blockers
No critical or high security findings
Action needed1 must-fix finding to resolve — see the Security Check tab.
No exposed secrets
No issue detectedNo leaked secrets or exposed secret files detected.
No public API data exposure
Action neededPublic API data exposure detected — fix before launch.
No public Supabase data exposure
No issue detectedNo obvious public Supabase table exposure detected.
No dangerous CORS behavior
No issue detectedNo dangerous CORS behavior detected.
No insecure session cookies observed
No issue detectedNo insecure session cookies observed.
Technical readiness
HTTPS enabled
No issue detectedNo insecure transport or mixed-content issues detected.
Security headers reviewed
Needs reviewHeader improvements to review — see the Security Check tab.
No debug or stack traces detected
No issue detectedNo stack traces or debug errors detected.
No public source maps with sensitive code
Not testedNot tested in this scan.
No unexpected public ports
No issue detectedNo unexpected public ports detected on the common fixed list.
Domain & communication readiness
SPF & DMARC email records
Needs reviewSome email/DNS records (SPF, DMARC, CAA) are missing — see notes below.
DNSSEC enabled
Not testedNot tested — DNSSEC isn't reliably checkable from this external scan yet.
Legal & trust basics
Privacy policy page
No issue detectedA privacy policy page was reachable.
Terms page
No issue detectedA terms page was reachable.
Contact page
Needs reviewNo contact page found — add one before launch.
Privacy & readiness notes (2)
Domain & email DNS records are incomplete
DMARC, CAA records were not found for yourapp.vercel.app. SPF and DMARC help stop attackers spoofing email from your domain; CAA limits which authorities can issue certificates for it. (We don't check DKIM — its selectors are provider-specific.)
Recommendation: Add a DMARC policy (start at p=none to monitor) and consider a CAA record. Set up DKIM with your email provider's instructions.
No contact page found
We couldn't find a reachable contact page at the usual paths (/contact). Users, ad networks, and app stores generally expect one before launch.
Recommendation: Add a contact page and link to it from your footer.
Operational readiness
- Re-scan after every deploy to confirm nothing new is exposed.
- Keep this report link — it's how you reopen these results later.
- Connect your repo for a deeper scan once that's available.
- Authenticated areas were not tested — review logged-in flows yourself.
Recommended next steps
- 1Fix the must-fix findings first.
- 2Re-scan after deploying your changes.
- 3Do not send production traffic until critical findings are resolved.
Made changes? Confirm them.
Re-scan after deploying to confirm blockers are cleared, then compare against this report.
LaunchGuard helps detect common launch-blocking risks, but no automated scan can guarantee full security. Always review critical findings with a qualified developer before launch.