{"kind":"safety","host":"yourapp.com","finalUrl":"https://yourapp.com/","score":76,"grade":"B","stack":null,"checks":[{"id":"secrets","label":"Server secrets in the client bundle","max":26,"score":26,"status":"pass","detail":"We checked the HTML and first-party scripts and found no server-secret-shaped tokens.","why":"Anything in the client bundle is public. A leaked server key lets anyone act as your backend.","evidence":[]},{"id":"backendConfig","label":"Exposed backend config (Supabase / Firebase)","max":14,"score":14,"status":"pass","detail":"We didn't find an exposed Supabase/Firebase project config in the client bundle.","why":"Anon keys are public — but with Row-Level Security or rules off, anyone can read or write your whole database.","evidence":[]},{"id":"exposedFiles","label":"Publicly served .env / .git","max":16,"score":16,"status":"pass","detail":"We probed /.env and /.git/config and neither was served publicly.","why":"A reachable .env hands over every secret; a reachable .git lets anyone download your whole source history.","evidence":[]},{"id":"securityHeaders","label":"Security response headers","max":22,"score":0,"status":"fail","detail":"0/5 present — missing: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options (nosniff), Referrer-Policy.","why":"These headers stop clickjacking, MIME-sniffing and protocol-downgrade attacks before they reach your users.","evidence":["Content-Security-Policy","Strict-Transport-Security (HSTS)","X-Frame-Options","X-Content-Type-Options (nosniff)","Referrer-Policy"]},{"id":"cors","label":"Cross-origin (CORS) exposure","max":12,"score":12,"status":"pass","detail":"We didn't find a wildcard CORS policy on the main response.","why":"An over-broad CORS policy lets other websites read responses meant only for your own app.","evidence":[]},{"id":"transport","label":"HTTPS transport","max":6,"score":4,"status":"warn","detail":"Served over HTTPS, but no HSTS header to lock future visits to HTTPS.","why":"Without HTTPS (and HSTS), credentials and data can be intercepted on any shared network.","evidence":[]},{"id":"sourceMaps","label":"Exposed source maps","max":4,"score":4,"status":"pass","detail":"We didn't find a publicly fetchable source map.","why":"Public source maps hand attackers your readable source, comments and logic — useful for finding other holes.","evidence":[]}],"fixes":[{"id":"securityHeaders","title":"Add the missing security headers","detail":"Set them at your host (vercel.json / netlify.toml / nginx) or in your framework's response config.","fix":"// vercel.json — add (or merge) this so every response carries the headers.\n// Tighten the Content-Security-Policy to the exact domains your app loads from.\n{\n \"headers\": [\n {\n \"source\": \"/(.*)\",\n \"headers\": [\n {\n \"key\": \"Content-Security-Policy\",\n \"value\": \"default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'\"\n },\n {\n \"key\": \"Strict-Transport-Security\",\n \"value\": \"max-age=63072000; includeSubDomains; preload\"\n },\n {\n \"key\": \"X-Frame-Options\",\n \"value\": \"SAMEORIGIN\"\n },\n {\n \"key\": \"X-Content-Type-Options\",\n \"value\": \"nosniff\"\n },\n {\n \"key\": \"Referrer-Policy\",\n \"value\": \"strict-origin-when-cross-origin\"\n },\n {\n \"key\": \"Permissions-Policy\",\n \"value\": \"camera=(), microphone=(), geolocation=()\"\n }\n ]\n }\n ]\n}","fixKind":"headers","impact":22}],"summary":{"pass":5,"warn":1,"fail":1},"narrative":"We checked your app at yourapp.com and found an overall score of 76/100. The checks for server secrets, exposed backend configuration, publicly served .env/.git files, CORS exposure, and exposed source maps passed. However, there are issues with security response headers, as none of the recommended headers are present, and while your app is served over HTTPS, it lacks an HSTS header for future visits.","benchmark":{"count":212,"median":84,"percentile":9},"recordId":"45453s6j1d5u0r"}