Sample launch-readiness report
Plain-English findings for a Next.js app built with AI coding tools.
Launch Readiness Score: 52/100
Three critical issues should be fixed before launch. The biggest risks are exposed secrets, admin access, and payment verification.
3
open findings
2
open findings
3
open findings
0
open findings
Issues
Fix these before launch
Each issue includes the file, the risk, and a prompt you can paste into Cursor, Claude, ChatGPT, Lovable, Bolt, or Replit.
Exposed API key in frontend code
Plain-English explanation
A private API key appears inside a page component that is sent to the browser. A visitor could open browser developer tools or inspect the built JavaScript and copy it.
Why it matters
Someone could use the key as if they were your app, which can lead to unexpected bills, rate-limit problems, or private service access.
Recommended fix
Rotate the exposed key, move the new value into a server-only environment variable, and call the external service from a Next.js API route instead of the page.
Copy-paste AI prompt to fix it
Find the exposed API key in app/dashboard/page.tsx. Move the secret to a server-only environment variable, create a Next.js API route that calls the external service safely, and update the frontend to call our API route instead. Do not expose the key to the browser.
Missing authentication check on admin route
Plain-English explanation
The admin page can render without confirming that the visitor is signed in and has admin access.
Why it matters
A public admin page can expose customer data, internal actions, billing settings, or private business information.
Recommended fix
Add a server-side access check before rendering the page and redirect non-admin users away from the route.
Copy-paste AI prompt to fix it
Add a server-side authentication check to app/admin/page.tsx. Only allow logged-in users with an admin role to view this page. Redirect unauthenticated users to /login and non-admin users to /dashboard. Keep the existing page UI unchanged.
Supabase row-level security not enabled
Plain-English explanation
The scan found Supabase tables without row-level security enabled. That means the database may rely only on app code to keep users away from each other's data.
Why it matters
If a frontend request is changed or an API route is missed, users may be able to read or update records that belong to someone else.
Recommended fix
Enable RLS on user-owned tables and add policies that only allow access when the row belongs to the signed-in user.
Copy-paste AI prompt to fix it
Review supabase/schema.sql and enable row-level security for user-owned tables. Add policies so users can only select, insert, update, and delete rows where user_id matches auth.uid(). Explain any manual Supabase dashboard steps needed.
Stripe webhook signature not verified
Plain-English explanation
The webhook endpoint accepts payment events without verifying that Stripe really sent them.
Why it matters
Attackers could fake payment events and unlock paid features without paying.
Recommended fix
Verify the Stripe signature with the webhook secret before processing events.
Copy-paste AI prompt to fix it
Update app/api/stripe/webhook/route.ts to verify Stripe webhook signatures using STRIPE_WEBHOOK_SECRET. Use the raw request body with stripe.webhooks.constructEvent. Reject invalid signatures with a 400 response. Do not process webhook events unless verification succeeds.
Outdated vulnerable npm package
Plain-English explanation
The dependency scan flagged an old package version, such as axios@0.21.1, that has known security advisories.
Why it matters
Attackers often look for known package vulnerabilities because the exploit details are public and many apps are slow to upgrade.
Recommended fix
Upgrade the vulnerable package to a safe compatible version, update the lockfile, and check the feature that uses it.
Copy-paste AI prompt to fix it
Check package.json for outdated vulnerable dependencies, starting with axios. Upgrade the vulnerable package to a safe compatible version, update the lockfile, and adjust code only if the new version requires it. Run the most targeted verification available.
Debug mode enabled in production
Plain-English explanation
Debug mode appears to be enabled in the app environment. This is useful while building, but it should not be active for real users.
Why it matters
Debug output can reveal internal errors, file paths, request details, or configuration clues that make attacks easier.
Recommended fix
Only allow debug behavior in local development and make sure production uses a quiet, user-safe error mode.
Copy-paste AI prompt to fix it
Find where DEBUG or debug mode is enabled. Make sure debug output only runs in local development and is disabled in production. Do not change unrelated environment variables or deployment settings.
No privacy policy or cookie notice
Plain-English explanation
The app appears to collect user details or use tracking-style cookies, but there is no visible privacy policy or cookie notice.
Why it matters
Users need to understand what data is collected, why it is collected, and whether cookies or analytics are being used.
Recommended fix
Add a simple privacy policy page and show a cookie notice if the app uses analytics, advertising pixels, or non-essential cookies.
Copy-paste AI prompt to fix it
Add a beginner-friendly privacy policy page at /privacy and link to it from the site footer. If analytics or cookies are used, add a simple cookie notice component that appears once and stores dismissal locally. Keep the design consistent with the existing app.
Missing input validation on contact form
Plain-English explanation
The contact form endpoint appears to accept submitted values without checking that the email, name, and message are valid and reasonably sized.
Why it matters
Attackers or bots could send spam, very large messages, invalid emails, or content that breaks downstream tools like email providers and CRMs.
Recommended fix
Validate every contact form field on the server, enforce length limits, reject invalid emails, and return clear errors the frontend can display.
Copy-paste AI prompt to fix it
Add server-side validation to app/api/contact/route.ts. Validate name, email, and message fields, enforce reasonable length limits, reject invalid emails, and return clear error messages. Keep the frontend behavior compatible with the existing contact form.