sample report
This is what you get.
No wall of red, no jargon dump. Every finding says what it is, why it matters, and exactly how to fix it. Here's a real example (anonymized).
Harbova security report · demo-app.lovable.app
Executive summary
We found 4 issues that matter, including 1 critical. The most serious lets anyone read your users' data. All four are fixable in a day. None require rebuilding.
Database readable by anyone (RLS disabled)
What we found. Your Supabase project's public key is in the front-end (normal), but four tables, including `profiles` and `orders`, return every row to an unauthenticated request. Anyone can read your entire user list from a browser tab.
How to fix it. Enable Row Level Security on every table and add policies so users can only read their own rows. We include the exact SQL.
API key exposed in the front-end bundle
What we found. A third-party service key was found hard-coded in your JavaScript. Anyone can extract it and run charges against your account.
How to fix it. Move the key to a server-side environment variable and proxy the call through an API route. Rotate the exposed key immediately.
Admin page has no login
What we found. The route `/admin` renders the dashboard without checking who's asking. It's not linked anywhere, but it's one guess away.
How to fix it. Add a server-side auth check that runs before the page renders and redirects anyone who isn't an admin.
Missing security headers
What we found. No Content-Security-Policy, no clickjacking protection, and HSTS isn't set. These don't cause a breach on their own, but they remove your safety net.
How to fix it. Add a small set of response headers. We provide the exact config for your framework.