S ShipAudit
Example data only — this is not a verified check of a real customer domain.
sample_report expert_review layout

Demo AI Launch App

Illustrative target: demo.example · Public homepage + configuration notes

Reviewed 11 July 2026 · Methodology 0.1-validation · Example data only

72 C Configuration hygiene score — not proof that the application is secure.

ShipAudit measures observable HTTP security hygiene within the stated scope. It is not a vulnerability scan, penetration test, compliance assessment, or security certification.

Scope / Non-goals (example)

Checked in this example

  • Public HTTPS reachability (illustrated)
  • Selected response-header hygiene notes
  • Client-visible configuration patterns (fictional)

Not checked

  • Authenticated sessions, source code, infra
  • Port scans, exploitation, directory brute force
  • Compliance certification

Launch Decision (example)

Do not launch with the illustrated AI credential. Revoke it and move the provider call server-side. The Supabase configuration requires an authorized RLS check before it can be classified.

Findings (example)

Fix before launch

Server-side AI credential appears in a client bundle

Evidence
A high-confidence provider key pattern was detected in example data. The displayed value is redacted.
Recommended Action
Revoke the credential, move model calls behind a server endpoint, then add authentication and request limits.
Needs authorized verification

Supabase public configuration is present

Evidence
The anon key is a public identifier and is not a confirmed secret by itself (example data).
Recommended Action
Verify Row Level Security and Storage policies under explicit authorization. Do not rotate the anon key solely because it is visible.
Passed (example)

HTTPS and primary cookie attributes

Evidence
HTTPS is reachable in this example. Observed session cookies use Secure, HttpOnly and an explicit SameSite value.
Recommended Action
No immediate action for the illustrated scope.