Launch report

sample data

2 security issues, 0 readiness items

2 root fixes needed on https://demo.launchlock.local. Raw findings are grouped so repeated evidence and context signals do not hide the actual work.

This sample page uses fixture data for product demonstration.

SearchLaneSeverityCategoryScanner

of 3 groups

Items needing review

2items

security issues

readiness items

evidence URLs

score / 100

stack signals

critical

high

medium

low

info

Detected stack

Next.jsVercelSupabaseStripe

Scan coverage

partial

Passive public URL scan. Authenticated access-control tests, GitHub/SAST, backend-provider integrations, and active attack checks were not run.

ran

skipped

failed

1/1

passive ran

0/1

external ran

2 fixes to work through

Score is secondary; context-only signals stay visible but are not counted as problems.

Security fixes

1Lock down CORS policy

1 item(s), 1 evidence URL(s)

high

2Add global security headers

1 item(s), 1 evidence URL(s)

medium

SEO, UX, and launch readiness

No groups in this lane.

Context signals

Review public network exposureinfo

Fix first

Security findings

Confirmed and potential security work from passive evidence. Real exposed files, source maps, weak CORS, session storage, headers, TLS, cookies, and DNS/email issues appear here.

Securityhighhigh confidence

Lock down CORS policy

The API appears to reflect arbitrary origins while also allowing credentials.

Why it matters

A malicious site may be able to read credentialed API responses from users' browsers.

Fix overview

Use an explicit origin allowlist and do not combine broad CORS with credentials.

Verify

curl -i -H "Origin: https://launchlock.invalid" https://demo.launchlock.local/api/user

Evidence scope

1 affected URL

https://demo.launchlock.local/api/user

AI fix prompts

Scanner issues and evidence

CORS reflects arbitrary origins

cors / cors.reflected_origin

high

Evidence URLs

https://demo.launchlock.local/api/user

{
  "allowOrigin": "https://launchlock.invalid",
  "allowCredentials": true
}

Securitymediumhigh confidence

Add global security headers

The app is missing headers that reduce clickjacking, MIME sniffing, referrer leakage, and script injection impact.

Why it matters

A browser-side bug can become more damaging when defense-in-depth headers are absent.

Fix overview

Add production headers in Next.js config or at the proxy/hosting layer.

Verify

curl -I https://demo.launchlock.local

Evidence scope

1 affected URL

https://demo.launchlock.local/

AI fix prompts

Scanner issues and evidence

Missing browser security headers

headers / headers.missing_required

medium

Evidence URLs

https://demo.launchlock.local/

{
  "missingRequired": [
    "content-security-policy",
    "x-frame-options"
  ]
}

Advisory

SEO, AEO, UX, and launch readiness

These are real passive findings, but they are advisory. Treat them as launch cleanup and visibility work, not confirmed security vulnerabilities.

No non-info readiness findings were detected in this passive run.

Context

Context signals

Informational signals explain what LaunchLock observed. They are not counted as problems.

Contextinfomedium confidence

Review public network exposure

Expected web ports are visible as context so reviewers can confirm public exposure.

Why it matters

Unexpected public services can expose admin panels, dev servers, databases, caches, or origin infrastructure.

Fix overview

Confirm each host:port is intentional, and keep private/admin services behind a firewall or VPN.

Verify

Confirm each reported host:port is intentionally public.

Evidence scope

1 affected URL

tcp://demo.launchlock.local:443

AI fix prompts

Scanner issues and evidence

Public TCP services discovered on target or related hosts

open-port-discovery / open_ports.public_tcp_services

info

Evidence URLs

tcp://demo.launchlock.local:443

{
  "hosts": [
    {
      "hostname": "demo.launchlock.local",
      "openPorts": [
        {
          "port": 443,
          "service": "https",
          "severity": "info"
        }
      ]
    }
  ]
}

Scanner runs

This is the coverage audit for this scan. Skipped scanners usually need an API toggle, external binary, provider connection, or target verification.

headers

passive / 1 raw evidence item(s)

completed

ssl-labs

external api / 0 raw evidence item(s)

skipped

SSLLABS_EMAIL is not configured

open-port-discovery

active / 1 raw evidence item(s)

completed

Coverage completeness

partial

raw evidence

1020

duration ms

total scanners

Limitations

Sample data only.
Authenticated tests and provider integrations were not run.

Next actions

Run a live scan through the backend.
Verify ownership before enabling active authenticated checks.

Ownership verification

unverified

This target is not owner-verified yet, so LaunchLock only runs public passive checks.

Required before active scans

Active scans
Authenticated scans
Provider integrations
Production trust badges

DNS TXT record

Add a LaunchLock verification token to the target domain DNS.

HTML file

Upload a verification file to the public web root.

Scope

You may only scan websites and systems you own or are authorized to test.

Disclaimer

Automated security analysis, not a penetration test or professional security guarantee.