Security score · higher is better
Fix before launch
We found issues to fix before you send real traffic.
- Domain
- Your App
- Scanned
- May 20, 2026
- Scan type
- External scan · no login
14 security areas checked
Findings
99 is the highest score for this external scan.
Fix before launch. Fix must-fix items first, then re-scan after deploying changes.
Security score breakdown
12 areas · sorted by priorityEvery public-surface area this scan graded, most important first. Open a row to see what was found and jump to the details.
1 issue to fix before launch — see findings below
Some areas could not be tested during this scan. This can happen if the site blocked requests, timed out, or the scan budget was reached. Re-run the scan to try again.
Must fix before launch (1)
Critical and high-severity issues. Fix these before sending traffic.
/api/profiles returned JSON containing personal fields without authentication. If this isn't meant to be public, require a login first.
Evidence
- status
- 200
- sensitive fields
- email, name, user_id
Why it matters
Public API routes that return user, customer, or admin data without a login let anyone read information meant to be private.
Recommendation
Require authentication and authorization before returning this data, and confirm anonymous requests receive 401 or 403.
Where to fix it
Add an authentication and authorization check inside the API route handler (Next.js route handler or server action) before it returns any data.
Paste this into Claude Code, Cursor, or your AI coding tool
Review this public API route. Confirm whether it should be accessible without authentication. If it returns user, customer, case, payment, or admin data, require authentication and authorization before returning the response. Add tests that unauthenticated requests receive 401 or 403.
Should fix (1)
Medium-severity issues worth resolving before a wider launch.
Nice to have / hardening (1)
Low-severity and informational items — not launch blockers.
Your Claude Code fix plan
Prioritized prompts you can paste into Claude Code or Cursor, top to bottom.
Phase 2 — High priority
1. Public API returns user or business data
Phase 3 — Medium & low
1. Missing Content-Security-Policy
Phase 4 — Retest checklist
After fixing, re-run the scan and confirm your score dropped. The full checklist is included in the copied plan.
Scan limits
This was an unauthenticated external scan. It did not log in, submit forms, inspect private source code, or run dependency/CVE analysis.
Launch checklist
Use this checklist to decide whether the app is ready to be shown to users. Scanner-derived checks are based on this scan; manual reminders are items you should confirm before launch.
Launch blockers
No critical or high-risk findings
Action needed1 must-fix finding to resolve — see the Security Check tab.
No exposed secrets or config files
No issue detectedNo leaked secrets or exposed config files detected.
No public API or data exposure
Action neededPublic API or data exposure detected — fix before launch.
No insecure session configuration
No issue detectedNo insecure session cookies observed.
Trust & legal basics
Privacy policy page
No issue detectedA privacy policy page was reachable.
Terms page
No issue detectedA terms page was reachable.
Contact page
Needs reviewNo contact page found — add one before launch.
Domain & communication
HTTPS enabled
No issue detectedNo insecure transport or mixed-content issues detected.
SPF & DMARC configured
Needs reviewEmail/DNS records (SPF, DMARC, CAA) to review — see notes below.
Manual operational reminders
Confirm these yourself before launch — the scanner does not verify them.
Production environment variables reviewed
Manual checkConfirm production uses server-only secrets and no keys are committed to the repo.
Error monitoring / logging enabled
Manual checkConfirm errors are captured server-side and never shown to users.
Backup or rollback plan exists
Manual checkConfirm you can restore data and roll back a bad deploy.
Analytics, cookie & privacy notices reviewed
Manual checkIf you use analytics or cookies, confirm the required notices or consent are in place.
Not fully checked in this scan
Outside this external scan — not a pass or a failure. Review these separately.
DNSSEC
Outside this scanNot reliably checkable from this external scan — confirm with your DNS provider.
DKIM email signing
Outside this scanProvider-specific selectors aren't checked — confirm with your email provider.
Accessibility
Outside this scanNot part of this security scan — review separately before launch.
Payment / checkout flow
Outside this scanNot exercised by this external scan — test the flow end-to-end yourself.
App-specific authorization & business logic
Outside this scanLogged-in and role-specific flows aren't tested — verify your access rules yourself.
Privacy & readiness notes (2)
Re-scanning & coverage
- Re-scan after every deploy to confirm nothing new is exposed.
- Keep this report link — it's how you reopen these results later.
- Connect your repo for a deeper scan once that's available.
- Authenticated areas were not tested — review logged-in flows yourself.
Recommended next steps
- 1Fix the must-fix findings first.
- 2Re-scan after deploying your changes.
- 3Do not send production traffic until critical findings are resolved.
Made changes? Confirm them.
Re-scan after deploying to confirm blockers are cleared, then compare against this report.
GuardMint helps detect common launch-blocking risks, but no automated scan can guarantee full security. Always review critical findings with a qualified developer before launch.