Back to Home
Sample Report

Security Scan Report

This is an example of what a VAS security report looks like. All findings are simulated.

myapp.com

Scan completed in 22m 14s

Deep Scan
Total
11
Critical
2
High
3
Medium
4
Low
2
Fix Issues with AI
Download a report optimized for Lovable, Claude, ChatGPT, Cursor, or any AI coding assistant

Critical (2)

Exposed OpenAI API Key in Client Bundle

An OpenAI secret key (sk-proj-*) was found in the client-side JavaScript bundle. Attackers can extract this key and make unlimited API calls billed to your account. Real-world cases have resulted in $12,000+ bills from automated abuse in a single weekend.

Critical

Evidence

/assets/chat-8f2e1b3c.js line 1247: sk-proj-4f8a2...redacted

Remediation

Remove the OpenAI API key from client code immediately. Create a backend API route (e.g., /api/chat) that proxies requests to OpenAI, keeping the key in a server-side environment variable only.

Missing Row Level Security on users Table

The Supabase "users" table has RLS disabled, allowing any authenticated user to read and modify all user records in the database.

Critical

Evidence

SELECT * FROM users returned 847 rows without RLS restriction

Remediation

Enable RLS on the users table and create policies that restrict access. Example: CREATE POLICY "Users can only access own data" ON users FOR ALL USING (auth.uid() = id);

High (3)

No Rate Limiting on Authentication Endpoint

The /api/auth/login endpoint has no rate limiting, making it vulnerable to brute force attacks and credential stuffing.

High

Evidence

Successfully sent 100 requests in 5 seconds without throttling

Remediation

Implement rate limiting using middleware like express-rate-limit or use Vercel Edge Config. Recommend max 5 attempts per IP per minute.

Supabase Service Role Key in Client Bundle

A Supabase service_role key was found in the client-side JavaScript. This key bypasses all Row Level Security policies, giving full read/write access to every table in the database.

High

Evidence

/assets/index-d4f7e2a1.js contains: eyJhbGciOiJIUzI1NiIs...service_role

Remediation

Replace the service_role key with the anon key in client code. The anon key is safe to expose — it relies on RLS policies for access control. Keep the service_role key server-side only.

IDOR Vulnerability in User Profile Endpoint

The /api/users/[id] endpoint returns user data for any ID without verifying the requesting user has permission to access it.

High

Evidence

GET /api/users/other-user-uuid returned full profile data including email and phone

Remediation

Add authorization checks to verify the authenticated user can only access their own profile, or implement role-based access for admin users.

Medium (4)

Missing Content-Security-Policy Header

No Content-Security-Policy header is set, which helps prevent XSS attacks by controlling which resources can be loaded.

Medium

Evidence

Response headers missing Content-Security-Policy

Remediation

Add CSP header: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';

Cookies Missing Secure Flag

Session cookies are being set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections.

Medium

Evidence

Set-Cookie: session=abc123; HttpOnly (missing Secure flag)

Remediation

Add the Secure flag to all cookies: Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax

X-Frame-Options Header Not Set

The X-Frame-Options header is not set, potentially allowing your site to be embedded in iframes on malicious sites (clickjacking).

Medium

Evidence

Response headers missing X-Frame-Options

Remediation

Add header: X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

Verbose Error Messages in Production

API errors return detailed stack traces and internal error messages that could help attackers understand your system.

Medium

Evidence

POST /api/checkout returned: "Error: Cannot read property id of undefined at /app/api/checkout.js:47"

Remediation

Implement proper error handling that logs details server-side but returns generic messages to clients in production.

Low (2)

Missing X-Content-Type-Options Header

The X-Content-Type-Options header is not set, which could allow MIME type sniffing attacks.

Low

Evidence

Response headers missing X-Content-Type-Options

Remediation

Add header: X-Content-Type-Options: nosniff

Server Version Disclosed

The server is disclosing its version in response headers, which could help attackers identify known vulnerabilities.

Low

Evidence

Server: nginx/1.18.0

Remediation

Configure your server to hide version information. For nginx: server_tokens off;

Security Strengths (6)

HTTPS Enabled

All traffic is served over HTTPS with a valid certificate

Strict-Transport-Security Header Present

HSTS header is properly configured

No SQL Injection Vulnerabilities Found

Tested 47 endpoints with common SQL injection payloads

No XSS Vulnerabilities in Forms

Input sanitization appears to be in place

Firebase Security Rules Configured

Firestore rules restrict access appropriately

No Exposed .env Files

Common paths checked for exposed configuration files

Ready to scan your app?

Get a comprehensive security report for your application in minutes.

Get Starter ScanView Pricing