Core Scan Report
This is an example of what a VAS Core security report looks like. All findings are simulated.
demo-app.vercel.app
Scan completed in 3m 42s
Core Scan includes: Security headers analysis, SSL/TLS configuration, cookie security, secrets detection in JavaScript bundles, database security checks, and common misconfiguration checks.
Critical (1)
Publicly Writable Supabase Table
The "user_profiles" table allows INSERT operations without authentication. Anyone with your Supabase URL can insert arbitrary data into this table.
Evidence
POST /rest/v1/user_profiles returned 201 Created without Authorization headerRemediation
Enable Row Level Security (RLS) on the table and create an INSERT policy. Example: ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; CREATE POLICY "Users can insert own profile" ON user_profiles FOR INSERT TO authenticated WITH CHECK ((select auth.uid()) = user_id);
High (2)
Hardcoded API Key in JavaScript Bundle
A third-party API key was found exposed in the client-side JavaScript bundle. This key could be extracted and abused by attackers.
Evidence
/assets/main-a3f2e1b4.js contains: apiKey: "AIzaSy...redacted"Remediation
Move the API key to a server-side environment variable. Create a backend API route that proxies requests to the third-party service, keeping the key server-side only.
Missing HttpOnly Flag on Session Cookie
The session cookie is accessible via JavaScript (document.cookie), making it vulnerable to theft through XSS attacks.
Evidence
Set-Cookie: session=eyJhbG...; Path=/; Secure (missing HttpOnly)Remediation
Add the HttpOnly flag to your session cookie to prevent JavaScript access: Set-Cookie: session=value; HttpOnly; Secure; SameSite=Lax
Medium (3)
Missing Content-Security-Policy Header
No Content-Security-Policy header is set, which helps prevent XSS attacks by controlling which resources can be loaded.
Evidence
Response headers missing Content-Security-PolicyRemediation
Add CSP header to your server configuration. For Next.js, add to next.config.js headers. Example: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
Missing X-Frame-Options Header
The X-Frame-Options header is not set, potentially allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
Evidence
Response headers missing X-Frame-OptionsRemediation
Add header: X-Frame-Options: DENY to prevent all framing, or X-Frame-Options: SAMEORIGIN to allow only same-origin framing.
Cookies Missing SameSite Attribute
Cookies are set without the SameSite attribute, which could allow cross-site request forgery (CSRF) attacks in older browsers.
Evidence
Set-Cookie: auth_token=abc123; Secure; HttpOnly (missing SameSite)Remediation
Add SameSite=Lax (recommended) or SameSite=Strict to all cookies: Set-Cookie: auth_token=abc123; Secure; HttpOnly; SameSite=Lax
Low (2)
Missing X-Content-Type-Options Header
The X-Content-Type-Options header is not set, which could allow MIME type sniffing attacks in older browsers.
Evidence
Response headers missing X-Content-Type-OptionsRemediation
Add header: X-Content-Type-Options: nosniff
Missing Referrer-Policy Header
No Referrer-Policy header is set. This controls how much referrer information is shared when navigating away from your site.
Evidence
Response headers missing Referrer-PolicyRemediation
Add header: Referrer-Policy: strict-origin-when-cross-origin
Security Strengths (4)
HTTPS Enabled
All traffic is served over HTTPS with a valid TLS certificate
Strict-Transport-Security Header Present
HSTS header is properly configured with adequate max-age
No Exposed .env or Config Files
Common paths checked for exposed configuration files
No SQL Injection Patterns Detected
No obvious SQL injection vulnerabilities in tested endpoints
Ready to scan your app?
Run a free Starter Scan and get actionable security insights in minutes.