Product · AI-Ready Fixes
Findings your AI agent can actually ship.
Every finding includes a structured fix block — the exact change, the pre-flight checks, the conditions where it would break things, and a safe-to-apply flag. Paste it into Claude, Cursor, or Windsurf and the fix lands without surprises.
- Structured `Fix` / `Before applying` / `Do NOT apply if` / `Safe to apply` blocks
- Optimized for Claude Code, Cursor, Windsurf, and Copilot
- Includes the actual code change, not just a description
- Flags context-dependent fixes so AI doesn't break your app
## Fix
Add to next.config.js headers():
{ key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload' }
## Before applying
- Confirm site is served over HTTPS only.
- Check no http:// subdomains are in use.
## Do NOT apply if
- You serve any subdomain over plain HTTP.
## Safe to apply
✓ This header is purely additive on HTTPS.How it works
3 steps to your first result.
- 1
Scan your app
Every VAS finding ships with the fix block already attached — no extra step.
- 2
Export or copy the block
Download the report as Markdown, or copy individual fix blocks from the finding view.
- 3
Paste into your AI tool
Claude/Cursor read the structure and apply the fix — or refuse if a `Do NOT apply if` condition is true.
What you get
Actual code, not advice
We don't say 'add HSTS' — we give you the literal config line for your framework.
Pre-flight checks
`Before applying` calls out what to verify first — e.g., 'confirm HTTPS-only' before HSTS.
Refusal conditions
`Do NOT apply if` lists exactly when the fix would break the app — e.g., HttpOnly cookies that JS needs to read.
Safe-to-apply flag
Fixes with no possible side effects (X-Content-Type-Options, etc.) get a green light so agents can ship them blindly.
Framework-aware
Next.js gets `next.config.js`; Vercel gets `vercel.json`; Cloudflare gets a Worker snippet. We detect what you ship on.
AI-first formatting
Markdown with consistent headers — designed to be the most predictable input AI tools have ever read.
Frequently asked
- Why structured blocks instead of plain explanations?
- Because AI agents act on what they read. A plain description gets paraphrased and sometimes wrong. A structured block with a clear schema gets applied the same way every time, by every model.
- Can I export all fixes at once?
- Yes. Every report exports as a single Markdown file. Drop it into a `findings.md` at the repo root and tell Claude to work through it top to bottom.
- What if the fix would break my app?
- That's what `Do NOT apply if` is for. We call out the context-dependent cases (HttpOnly cookies your JS reads, HSTS on non-HTTPS subdomains, COOP with OAuth popups) so a good agent refuses and asks first.