sample_report expert_review layout
Demo AI Launch App
Illustrative target: demo.example · Public homepage + configuration notes
Reviewed 11 July 2026 · Methodology 0.1-validation · Example data only
72 C Configuration hygiene score — not proof that the application is secure.
ShipAudit measures observable HTTP security hygiene within the stated scope. It is not a vulnerability scan, penetration test, compliance assessment, or security certification.
Scope / Non-goals (example)
Checked in this example
- ✓ Public HTTPS reachability (illustrated)
- ✓ Selected response-header hygiene notes
- ✓ Client-visible configuration patterns (fictional)
Not checked
- ✗ Authenticated sessions, source code, infra
- ✗ Port scans, exploitation, directory brute force
- ✗ Compliance certification
Launch Decision (example)
Do not launch with the illustrated AI credential. Revoke it and move the provider call server-side. The Supabase configuration requires an authorized RLS check before it can be classified.
Findings (example)
Fix before launch
Server-side AI credential appears in a client bundle
- Evidence
- A high-confidence provider key pattern was detected in example data. The displayed value is redacted.
- Recommended Action
- Revoke the credential, move model calls behind a server endpoint, then add authentication and request limits.
Needs authorized verification
Supabase public configuration is present
- Evidence
- The anon key is a public identifier and is not a confirmed secret by itself (example data).
- Recommended Action
- Verify Row Level Security and Storage policies under explicit authorization. Do not rotate the anon key solely because it is visible.
Passed (example)
HTTPS and primary cookie attributes
- Evidence
- HTTPS is reachable in this example. Observed session cookies use Secure, HttpOnly and an explicit SameSite value.
- Recommended Action
- No immediate action for the illustrated scope.