sample report

This is what you get.

No wall of red, no jargon dump. Every finding says what it is, why it matters, and exactly how to fix it. Here's a real example (anonymized).

Harbova security report · demo-app.lovable.app

Executive summary

We found 4 issues that matter, including 1 critical. The most serious lets anyone read your users' data. All four are fixable in a day. None require rebuilding.

F
grade
1 critical2 high1 medium0 low
CRITICALHB-001· A01 Broken Access Control

Database readable by anyone (RLS disabled)

What we found. Your Supabase project's public key is in the front-end (normal), but four tables, including `profiles` and `orders`, return every row to an unauthenticated request. Anyone can read your entire user list from a browser tab.

How to fix it. Enable Row Level Security on every table and add policies so users can only read their own rows. We include the exact SQL.

HIGHHB-002· A05 Security Misconfiguration

API key exposed in the front-end bundle

What we found. A third-party service key was found hard-coded in your JavaScript. Anyone can extract it and run charges against your account.

How to fix it. Move the key to a server-side environment variable and proxy the call through an API route. Rotate the exposed key immediately.

HIGHHB-003· A01 Broken Access Control

Admin page has no login

What we found. The route `/admin` renders the dashboard without checking who's asking. It's not linked anywhere, but it's one guess away.

How to fix it. Add a server-side auth check that runs before the page renders and redirects anyone who isn't an admin.

MEDIUMHB-004· A05 Security Misconfiguration

Missing security headers

What we found. No Content-Security-Policy, no clickjacking protection, and HSTS isn't set. These don't cause a breach on their own, but they remove your safety net.

How to fix it. Add a small set of response headers. We provide the exact config for your framework.