What you get back.
Every finding is named in plain language, ranked by severity, and paired with a concrete fix. Here’s a representative report for a fictional app.
Live API secret committed to the repo
A working Stripe secret key is hard-coded in server/config.js. Anyone with repo access — or anyone who finds it in your git history — could charge cards or issue refunds.
Admin endpoint reachable without authentication
POST /api/admin/users accepts requests with no session or token check, so any visitor can create or delete user accounts.
User input rendered as raw HTML
Profile bios are inserted into the page without escaping, which lets a user store a script that runs in other people’s browsers (stored XSS).
Dependency with a known vulnerability
axios@0.21.1 has a published advisory for server-side request forgery. It’s a transitive dependency, so it’s easy to miss.
Error responses leak stack traces
API errors return full stack traces to the client, which hands an attacker a map of your file paths and libraries.
Illustrative findings for a fictional app — not a real assessment