Sample report — example only

What you get back.

Every finding is named in plain language, ranked by severity, and paired with a concrete fix. Here’s a representative report for a fictional app.

Security & readiness report
acme-invoices.app
Certified tier · checked 12 JUN 2026 · report 4B81-2M
2
High
3
Medium
9
Passed
Critical

Live API secret committed to the repo

A working Stripe secret key is hard-coded in server/config.js. Anyone with repo access — or anyone who finds it in your git history — could charge cards or issue refunds.

FixRemove the key, rotate it in the Stripe dashboard, and load it from an environment variable instead.
High

Admin endpoint reachable without authentication

POST /api/admin/users accepts requests with no session or token check, so any visitor can create or delete user accounts.

FixRequire an authenticated session and verify the admin role on the server before the handler runs.
Medium

User input rendered as raw HTML

Profile bios are inserted into the page without escaping, which lets a user store a script that runs in other people’s browsers (stored XSS).

FixRender user content as text, or escape it on output before inserting it into the page.
Medium

Dependency with a known vulnerability

axios@0.21.1 has a published advisory for server-side request forgery. It’s a transitive dependency, so it’s easy to miss.

FixUpgrade to the latest patched release and turn on automated dependency alerts.
Low

Error responses leak stack traces

API errors return full stack traces to the client, which hands an attacker a map of your file paths and libraries.

FixReturn generic error messages in production and log the details server-side only.
Passed — 9 checks, including
Object storage is private with signed-URL access
Passwords hashed with a modern algorithm
HTTPS enforced across all routes
No other secrets found in source or history

Illustrative findings for a fictional app — not a real assessment

See what your app’s report says.

Check my app