Reference · §3

Every check,
documented.

The reference. Each entry below records what we look for, the severity, and the exact remedy. Every result page links into this document.

Family

I. Secrets

B-01

Critical

Stripe secret key in bundle

What we look for

sk_live_… or sk_test_… visible in any JS chunk.

How to fix

Move all Stripe calls server-side. Rotate the key immediately. Audit recent charges.

B-02

Critical

AWS access key in bundle

What we look for

An AKIA-prefixed string in JS source.

How to fix

Rotate via IAM. Use a Cognito identity pool or signed URLs for client-side access.

B-03

Critical

OpenAI API key in bundle

What we look for

sk-… (forty characters or more) in client code.

How to fix

Proxy LLM calls through your backend. Rotate the key. Cap usage limits.

B-04

Critical

Supabase service_role JWT in bundle

What we look for

A JWT with role:service_role decoded from a token in the bundle.

How to fix

Bypasses all RLS. Rotate immediately. The service role should never leave the server.

B-05

High

GitHub PAT in bundle

What we look for

A ghp_, gho_, ghu_, or ghs_ token in source.

How to fix

Revoke the token. Use a server-side proxy for any GitHub API calls.

Family

II. Supabase

S-01

Info

Anon JWT introspection

What we look for

We decode the public anon key and surface project ref, role, issuer, expiry. Flagged as Medium if the key has expired.

How to fix

No action when current. If expired, rotate the anon key in Supabase → Project Settings → API.

S-02

Low

Full schema is enumerable

What we look for

GET /rest/v1/ with the anon key returns the OpenAPI dump — the full list of tables and RPC functions.

How to fix

Restrict introspection at the edge or in db.api.exposed_schemas. RLS still matters; this stops handing out the menu.

S-12

Critical

Table readable without authentication

What we look for

Anonymous key + GET on /rest/v1/<table> returns rows.

How to fix

Enable RLS on the table and add SELECT policies that scope by auth.uid().

S-30

Medium

Storage buckets listable

What we look for

/storage/v1/bucket returns a non-empty array to anonymous clients.

How to fix

Storage policies: remove anon SELECT on storage.buckets.

S-40

Low

Anonymous signup enabled

What we look for

/auth/v1/settings indicates disable_signup is false.

How to fix

If public signups are not intended, disable in Authentication → Providers → Email.

S-50

Medium

RPC function callable anonymously

What we look for

POST /rest/v1/rpc/<fn> with the anon key returns 200 or 400 (i.e. the function ran).

How to fix

Revoke EXECUTE from anon, or rewrite the function as SECURITY INVOKER and audit it.

S-COV

Info

Coverage of record

What we look for

A transparency entry: how many tables and RPCs were tested, how many were denied, how many returned data.

How to fix

No action; an honest record of what the scan tested.

Family

III. Firebase

F-10

Critical

Firestore rules allow public read or write

What we look for

Probe collections return 200 with no auth, or test writes succeed.

How to fix

Replace if true with if request.auth != null plus per-document ownership checks.

F-20

High

Storage bucket public listing

What we look for

Bucket discovery succeeds without authentication.

How to fix

Storage rules: lock to request.auth != null and per-user paths.

Family

IV. Headers

H-01

Medium

No Content-Security-Policy

What we look for

Response missing the CSP header.

How to fix

Add a CSP. Start in report-only mode while tuning.

H-02

Low

Strict-Transport-Security missing

What we look for

No HSTS header on an HTTPS response.

How to fix

Set Strict-Transport-Security: max-age=31536000; includeSubDomains.

H-08

Medium

Permissive CSP

What we look for

CSP is set, but contains unsafe-inline, unsafe-eval, wildcard sources, or is missing key directives.

How to fix

Drop unsafe-inline / unsafe-eval, replace wildcards with explicit origins, add object-src 'none' and frame-ancestors 'none'.

Family

V. Files

X-01

Critical

.env served as 200 OK

What we look for

/.env returns content instead of a 404.

How to fix

Block dotfiles at the CDN or hosting layer. Never deploy .env to a public directory.

X-02

Medium

Source maps in production

What we look for

*.js.map URLs serve full source.

How to fix

Disable source-map output in production builds, or restrict access.

A curated subset. The scanner runs roughly thirty distinct checks across these families. More entries are being added.

Subject for review

Run a scan.
Receive your edition.

Reviewed in approx. 30 seconds. Free of charge. Confidential.

Or read the casebook.

Every check,documented.

I. Secrets

Stripe secret key in bundle

AWS access key in bundle

OpenAI API key in bundle

Supabase service_role JWT in bundle

GitHub PAT in bundle

II. Supabase

Anon JWT introspection

Full schema is enumerable

Table readable without authentication

Storage buckets listable

Anonymous signup enabled

RPC function callable anonymously

Coverage of record

III. Firebase

Firestore rules allow public read or write

Storage bucket public listing

IV. Headers

No Content-Security-Policy

Strict-Transport-Security missing

Permissive CSP

V. Files

.env served as 200 OK

Source maps in production

Run a scan.Receive your edition.

Every check,
documented.

Run a scan.
Receive your edition.