This is an example of what a VAS security report looks like. All findings are simulated.
Scan completed in 22m 14s
A Stripe secret key (sk_live_*) was found in the JavaScript bundle. This key provides full access to your Stripe account including the ability to create charges, refunds, and access customer data.
Evidence
/assets/index-d4f7e2a1.js line 1247: sk_live_51H7...redactedRemediation
Move the Stripe secret key to a server-side environment variable. Use the publishable key (pk_live_*) on the client side and handle payments through a backend API route.
The Supabase "users" table has RLS disabled, allowing any authenticated user to read and modify all user records in the database.
Evidence
SELECT * FROM users returned 847 rows without RLS restrictionRemediation
Enable RLS on the users table and create policies that restrict access. Example: CREATE POLICY "Users can only access own data" ON users FOR ALL USING (auth.uid() = id);
The /api/auth/login endpoint has no rate limiting, making it vulnerable to brute force attacks and credential stuffing.
Evidence
Successfully sent 100 requests in 5 seconds without throttlingRemediation
Implement rate limiting using middleware like express-rate-limit or use Vercel Edge Config. Recommend max 5 attempts per IP per minute.
An OpenAI API key was found in the client-side JavaScript. Attackers can use this key to make API calls billed to your account.
Evidence
/assets/chat-8f2e1b3c.js contains: sk-proj-...redactedRemediation
Remove the API key from client code. Create a backend API route that proxies requests to OpenAI, keeping the key server-side only.
The /api/users/[id] endpoint returns user data for any ID without verifying the requesting user has permission to access it.
Evidence
GET /api/users/other-user-uuid returned full profile data including email and phoneRemediation
Add authorization checks to verify the authenticated user can only access their own profile, or implement role-based access for admin users.
No Content-Security-Policy header is set, which helps prevent XSS attacks by controlling which resources can be loaded.
Evidence
Response headers missing Content-Security-PolicyRemediation
Add CSP header: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';
Session cookies are being set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections.
Evidence
Set-Cookie: session=abc123; HttpOnly (missing Secure flag)Remediation
Add the Secure flag to all cookies: Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax
The X-Frame-Options header is not set, potentially allowing your site to be embedded in iframes on malicious sites (clickjacking).
Evidence
Response headers missing X-Frame-OptionsRemediation
Add header: X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN
API errors return detailed stack traces and internal error messages that could help attackers understand your system.
Evidence
POST /api/checkout returned: "Error: Cannot read property id of undefined at /app/api/checkout.js:47"Remediation
Implement proper error handling that logs details server-side but returns generic messages to clients in production.
The X-Content-Type-Options header is not set, which could allow MIME type sniffing attacks.
Evidence
Response headers missing X-Content-Type-OptionsRemediation
Add header: X-Content-Type-Options: nosniff
The server is disclosing its version in response headers, which could help attackers identify known vulnerabilities.
Evidence
Server: nginx/1.18.0Remediation
Configure your server to hide version information. For nginx: server_tokens off;
HTTPS Enabled
All traffic is served over HTTPS with a valid certificate
Strict-Transport-Security Header Present
HSTS header is properly configured
No SQL Injection Vulnerabilities Found
Tested 47 endpoints with common SQL injection payloads
No XSS Vulnerabilities in Forms
Input sanitization appears to be in place
Firebase Security Rules Configured
Firestore rules restrict access appropriately
No Exposed .env Files
Common paths checked for exposed configuration files
Get a comprehensive security report for your application in minutes.