Sample dataNot ready to launch yet

Sample launch-readiness report

Plain-English findings for a Next.js app built with AI coding tools.

Rescan Project

Launch Readiness Score: 52/100

52/100
Not ready to launch yet

Three critical issues should be fixed before launch. The biggest risks are exposed secrets, admin access, and payment verification.

Critical

3

open findings

High

2

open findings

Medium

3

open findings

Low

0

open findings

Security
42
Privacy
48
Authentication
38
Database
34
Dependencies
66
Payments
37
Deployment
58

Issues

Fix these before launch

Each issue includes the file, the risk, and a prompt you can paste into Cursor, Claude, ChatGPT, Lovable, Bolt, or Replit.

Criticalapp/dashboard/page.tsx

Exposed API key in frontend code

Plain-English explanation

A private API key appears inside a page component that is sent to the browser. A visitor could open browser developer tools or inspect the built JavaScript and copy it.

Why it matters

Someone could use the key as if they were your app, which can lead to unexpected bills, rate-limit problems, or private service access.

Recommended fix

Rotate the exposed key, move the new value into a server-only environment variable, and call the external service from a Next.js API route instead of the page.

Copy-paste AI prompt to fix it

Find the exposed API key in app/dashboard/page.tsx. Move the secret to a server-only environment variable, create a Next.js API route that calls the external service safely, and update the frontend to call our API route instead. Do not expose the key to the browser.

Criticalapp/admin/page.tsx

Missing authentication check on admin route

Plain-English explanation

The admin page can render without confirming that the visitor is signed in and has admin access.

Why it matters

A public admin page can expose customer data, internal actions, billing settings, or private business information.

Recommended fix

Add a server-side access check before rendering the page and redirect non-admin users away from the route.

Copy-paste AI prompt to fix it

Add a server-side authentication check to app/admin/page.tsx. Only allow logged-in users with an admin role to view this page. Redirect unauthenticated users to /login and non-admin users to /dashboard. Keep the existing page UI unchanged.

Highsupabase/schema.sql

Supabase row-level security not enabled

Plain-English explanation

The scan found Supabase tables without row-level security enabled. That means the database may rely only on app code to keep users away from each other's data.

Why it matters

If a frontend request is changed or an API route is missed, users may be able to read or update records that belong to someone else.

Recommended fix

Enable RLS on user-owned tables and add policies that only allow access when the row belongs to the signed-in user.

Copy-paste AI prompt to fix it

Review supabase/schema.sql and enable row-level security for user-owned tables. Add policies so users can only select, insert, update, and delete rows where user_id matches auth.uid(). Explain any manual Supabase dashboard steps needed.

Criticalapp/api/stripe/webhook/route.ts

Stripe webhook signature not verified

Plain-English explanation

The webhook endpoint accepts payment events without verifying that Stripe really sent them.

Why it matters

Attackers could fake payment events and unlock paid features without paying.

Recommended fix

Verify the Stripe signature with the webhook secret before processing events.

Copy-paste AI prompt to fix it

Update app/api/stripe/webhook/route.ts to verify Stripe webhook signatures using STRIPE_WEBHOOK_SECRET. Use the raw request body with stripe.webhooks.constructEvent. Reject invalid signatures with a 400 response. Do not process webhook events unless verification succeeds.

Mediumpackage.json

Outdated vulnerable npm package

Plain-English explanation

The dependency scan flagged an old package version, such as axios@0.21.1, that has known security advisories.

Why it matters

Attackers often look for known package vulnerabilities because the exploit details are public and many apps are slow to upgrade.

Recommended fix

Upgrade the vulnerable package to a safe compatible version, update the lockfile, and check the feature that uses it.

Copy-paste AI prompt to fix it

Check package.json for outdated vulnerable dependencies, starting with axios. Upgrade the vulnerable package to a safe compatible version, update the lockfile, and adjust code only if the new version requires it. Run the most targeted verification available.

Medium.env.local

Debug mode enabled in production

Plain-English explanation

Debug mode appears to be enabled in the app environment. This is useful while building, but it should not be active for real users.

Why it matters

Debug output can reveal internal errors, file paths, request details, or configuration clues that make attacks easier.

Recommended fix

Only allow debug behavior in local development and make sure production uses a quiet, user-safe error mode.

Copy-paste AI prompt to fix it

Find where DEBUG or debug mode is enabled. Make sure debug output only runs in local development and is disabled in production. Do not change unrelated environment variables or deployment settings.

Mediumapp/layout.tsx

No privacy policy or cookie notice

Plain-English explanation

The app appears to collect user details or use tracking-style cookies, but there is no visible privacy policy or cookie notice.

Why it matters

Users need to understand what data is collected, why it is collected, and whether cookies or analytics are being used.

Recommended fix

Add a simple privacy policy page and show a cookie notice if the app uses analytics, advertising pixels, or non-essential cookies.

Copy-paste AI prompt to fix it

Add a beginner-friendly privacy policy page at /privacy and link to it from the site footer. If analytics or cookies are used, add a simple cookie notice component that appears once and stores dismissal locally. Keep the design consistent with the existing app.

Highapp/api/contact/route.ts

Missing input validation on contact form

Plain-English explanation

The contact form endpoint appears to accept submitted values without checking that the email, name, and message are valid and reasonably sized.

Why it matters

Attackers or bots could send spam, very large messages, invalid emails, or content that breaks downstream tools like email providers and CRMs.

Recommended fix

Validate every contact form field on the server, enforce length limits, reject invalid emails, and return clear errors the frontend can display.

Copy-paste AI prompt to fix it

Add server-side validation to app/api/contact/route.ts. Validate name, email, and message fields, enforce reasonable length limits, reject invalid emails, and return clear error messages. Keep the frontend behavior compatible with the existing contact form.