Home / Sample report

Sample Launch Readiness Audit Report

● Sample report — illustrative data

68/ 100 ready

demo-app.lovable.app · scanned 8 Jun 2026

Launch Readiness: Needs work before launch

Security61

Reliability72

Performance80

Monitoring48

2Critical

4High

5Medium

11Total findings

Findings & AI-ready fixes

CriticalSecuritySupabase · public.users, public.orders, public.messages

Row-level security is disabled on 3 tables

Your tables are reachable with the public anon key and no RLS policy — anyone can read (and possibly write) every row. This is the exact class of issue behind CVE-2025-48757, which exposed 170+ Lovable apps.

AI-ready fix — paste into Cursor / Lovable

alter table public.users enable row level security;

create policy "own_rows" on public.users

for select using ( auth.uid() = user_id );

-- repeat for orders, messages; add insert/update policies as needed

CriticalSecurityassets/index-8f2e1b.js:1204

OpenAI API key exposed in the client bundle

A live sk-proj-… key is shipped in your front-end JavaScript. Anyone can extract it and run up your bill (we've seen $12K+ in a weekend) or abuse your account.

AI-ready fix — paste into Cursor / Lovable

1. Rotate the key in the OpenAI dashboard immediately.

2. Move calls to a server route; read the key from an env var:

const key = process.env.OPENAI_API_KEY; // server only, never in client

HighSecurityapi/auth/login.ts

No rate limiting on the login endpoint

Attackers can brute-force credentials with no throttling. Add per-IP and per-account limits.

AI-ready fix

Add a rate limiter (e.g. Upstash) — 5 attempts / 15 min per IP + account, then back off.

HighReliabilityapi/webhooks/stripe.ts:42

Payment webhook has no error handling or idempotency

If the handler throws, Stripe retries and you may double-fulfill orders. There's no try/catch and no idempotency key check.

AI-ready fix

Wrap in try/catch, verify the signature, and store processed event IDs to skip duplicates before fulfilling.

HighPerformanceapi/dashboard.ts:88

N+1 query loading the dashboard

The dashboard fires one query per item (47 on a typical load), pushing p95 latency past 4 seconds. Batch it into a single join.

AI-ready fix

// replace the per-item loop with one query:

select * from orders where user_id = $1 order by created_at desc;

-- add an index on orders(user_id, created_at)

MediumMonitoringapp-wide

No error tracking detected

No Sentry, Rollbar, or equivalent is present. When something breaks in production, you won't know until a customer tells you.

AI-ready fix

Add Sentry (or similar), wire it into your error boundary and API routes, and alert on the payment + auth paths.

This is a sample

Get your real report in ~60 seconds.

Paste your URL for a free Launch Readiness Score. Unlock the full report — every finding, AI-ready fixes, PDF report, and prioritized roadmap — for $499 one-time. 30-day re-scan guarantee if we don't find anything material.

Get my free score