Detailed Audit Findings
This sample report illustrates the actual layout, matrix categorizations, severity flags, and recommended actions compiled by our audit scanner.
acme-saas.io — Full Stack Audit
This audit identified 4 critical, 9 high, 14 medium, and 6 low severity issues across CRO, Security, and SUM categories. Immediate attention required on authentication and checkout flow.
The POST checkout registration route accepts requests without checking validation tokens, making it open to Cross-Site Request Forgery.
Inject a verified CSRF input token to the page forms and check headers server-side.
The API endpoint /api/debug is accessible in the production build, outputting raw ENV configurations, server stack details, and API keys.
Disable logging endpoints in production builds. Restrict access behind IP firewall.
The landing page CTA button is pushed below 600px of content on mobile devices due to large height spacing, leading to drop-offs.
Reposition the primary CTA inside the initial header block for small screens.
The authentication endpoint permits infinite sequential requests, allowing attackers to cycle passwords.
Configure rate limiting on login routes (e.g. limit to 5 attempts per IP per minute).
The primary SSL certificate is set to expire in two weeks. No automatic Let's Encrypt renew task is enabled.
Configure SSL auto-renewal on Vercel or your hosting platform.
The purchase workflow requests name, business details, telephone, and questionnaire fields, increasing cognitive friction.
Consolidate forms, delay profile details collection to post-purchase onboarding pages.
No CSP header is set, permitting the loading of styles and script dependencies from arbitrary external locations.
Define a secure Content-Security-Policy header in your next.config.js or middleware.
Default server 404 page shows without home redirects or help search bars.
Create a branded 404.tsx page with main navigation fallback links.