Understand your findings
A finding is one specific, checkable problem with your app — not a vague 'improve your security posture'. Each one says what it means, why it matters, and exactly how to fix it.
Severities
- Critical — actively dangerous right now: an exposed
.env, a leaked secret, a known-exploited dependency. Fix these first; one open critical caps your grade at F. - Warning — a real gap an attacker can lean on, worth fixing this week. Missing CSP, no DMARC, a cookie without
HttpOnly. - Info — hardening. Nice to close, never an emergency.
Your grade
The letter grade summarizes everything currently open: start at 100, lose 35 per critical, 7 per warning, a little for infos — A is 90+, B is 75+, C is 60+, D is 40+. It's designed so a handful of hardening warnings reads as a B or C ("solid, some homework"), while anything truly dangerous is unmissable.
What we check
- Headers — security headers your responses should send (CSP, HSTS, and friends)
- Exposed files — things that should never be public — .env files, git folders, database dumps
- Open surfaces — admin panels, debug pages, and status endpoints reachable by anyone
- Dependencies — packages in your lockfile with known vulnerabilities (CVEs)
- Secrets — API keys and credentials committed to your repo
- Email protection — SPF and DMARC — whether strangers can send mail as your domain
- TLS — certificate health and encryption setup
- DNS — DNSSEC and CAA — hardening for your domain itself
- Attack surface — subdomains you may have forgotten, found via certificate logs
- Cookies — missing Secure/HttpOnly/SameSite protections
- Content — mixed content and risky third-party scripts
Exposed-files and open-surface probes run only after you've verified ownership; dependency and secret findings need a connected repo. Everything else runs for every app from day one.
Fixing things: copy for your AI tool
Every finding has a paste-ready fix. Click Copy for your AI tool and paste it into Claude Code, Cursor, or whatever built your app — the prompt carries the context your AI needs to apply the fix to your codebase. There's also a copy-all button that bundles every open finding into one paste.
One exception to "just paste it": a leaked secret is not fixed by deleting the file. Rotate the credential itself — anything that has ever appeared in a commit is burned. The fix prompt reminds you of this.
Findings resolve themselves
You never have to mark anything done. Deploy the fix, and the next scan sees the problem is gone and moves the finding to resolved on its own. Impatient? Scan now on the app page re-checks immediately. And a scan that couldn't reach your site — or got answered by a bot-protection page instead of your app — changes nothing, so a blip can't falsely resolve a real problem.