Tell Me When Down
← All guides

Understand your findings

A finding is one specific, checkable problem with your app — not a vague 'improve your security posture'. Each one says what it means, why it matters, and exactly how to fix it.

Severities

  • Critical — actively dangerous right now: an exposed .env, a leaked secret, a known-exploited dependency. Fix these first; one open critical caps your grade at F.
  • Warning — a real gap an attacker can lean on, worth fixing this week. Missing CSP, no DMARC, a cookie without HttpOnly.
  • Info — hardening. Nice to close, never an emergency.

Your grade

The letter grade summarizes everything currently open: start at 100, lose 35 per critical, 7 per warning, a little for infos — A is 90+, B is 75+, C is 60+, D is 40+. It's designed so a handful of hardening warnings reads as a B or C ("solid, some homework"), while anything truly dangerous is unmissable.

What we check

  • Headers security headers your responses should send (CSP, HSTS, and friends)
  • Exposed files things that should never be public — .env files, git folders, database dumps
  • Open surfaces admin panels, debug pages, and status endpoints reachable by anyone
  • Dependencies packages in your lockfile with known vulnerabilities (CVEs)
  • Secrets API keys and credentials committed to your repo
  • Email protection SPF and DMARC — whether strangers can send mail as your domain
  • TLS certificate health and encryption setup
  • DNS DNSSEC and CAA — hardening for your domain itself
  • Attack surface subdomains you may have forgotten, found via certificate logs
  • Cookies missing Secure/HttpOnly/SameSite protections
  • Content mixed content and risky third-party scripts

Exposed-files and open-surface probes run only after you've verified ownership; dependency and secret findings need a connected repo. Everything else runs for every app from day one.

Fixing things: copy for your AI tool

Every finding has a paste-ready fix. Click Copy for your AI tool and paste it into Claude Code, Cursor, or whatever built your app — the prompt carries the context your AI needs to apply the fix to your codebase. There's also a copy-all button that bundles every open finding into one paste.

One exception to "just paste it": a leaked secret is not fixed by deleting the file. Rotate the credential itself — anything that has ever appeared in a commit is burned. The fix prompt reminds you of this.

Findings resolve themselves

You never have to mark anything done. Deploy the fix, and the next scan sees the problem is gone and moves the finding to resolved on its own. Impatient? Scan now on the app page re-checks immediately. And a scan that couldn't reach your site — or got answered by a bot-protection page instead of your app — changes nothing, so a blip can't falsely resolve a real problem.