See what you get

What a Ship Check report actually looks like.

This is a real report shape from a Ship Check. Findings are ranked by what can actually hurt you, not dumped in a list. Every one comes with a proof you can re-run. A scanner gives you 40 red rows and leaves you to guess. This gives you an order of operations.

Rank 01

Exposed right now

critical

These can leak real user data today. Fix these first, before anything else on this page.

Rank 01critical
Tables readable by the anon role your frontend ships
why this hurts youAnyone who opens your site can query these tables directly from the browser. Your users’ orders and profiles are one fetch away.
reproducible proof · read-only query, re-executed
SELECT relname, relrowsecurity FROM pg_class
WHERE relrowsecurity = false;
→ 4 tables: orders, sessions, profiles, events
canonical result hash (sha256):
1a5f••••••••4d47
Rank 01critical
Service role key reachable from the client bundle
why this hurts youThe key that bypasses every security rule is shipping inside your JavaScript. One curl of your bundle and an attacker owns the database.
reproducible proof · static scan of the built bundle
grep -r "SUPABASE_SERVICE_ROLE" .next/static
→ 1 match: chunks/app/page-4c2a.js
canonical result hash (sha256):
9e21••••••••b70c
Rank 01critical
/api/admin routes have no auth guard
why this hurts youThe admin endpoints answer to anyone who knows the URL. No login, no role check. They will delete, refund, and export on request.
reproducible proof · unauthenticated request replayed
curl -s https://app/api/admin/users | jq length
→ 200 OK · 312 user records returned, no token sent
canonical result hash (sha256):
4c88••••••••e1a3
Rank 02

Will break under real load

urgent

Not leaking today, but the first real traffic spike or bad actor turns these into an outage or a bill.

Rank 02urgent
No rate limit on /api/checkout
why this hurts youOne bot in a loop can hammer checkout and run up your Stripe bill overnight. Nothing is stopping it.
reproducible proof · 100 rapid requests replayed
for i in $(seq 100); do curl -s app/api/checkout &
→ 100/100 accepted · 0 throttled
canonical result hash (sha256):
b3d0••••••••7f52
Rank 02urgent
Signup has no email verification
why this hurts youNothing proves an email is real, so spam and throwaway accounts will flood your user table and poison your metrics.
Rank 02urgent
N+1 query on the dashboard
why this hurts youThe dashboard fires one query per row instead of one query total. It feels fine now and crawls once a user passes ~500 rows.
reproducible proof · query count captured per render
EXPLAIN ANALYZE on GET /dashboard (600 rows)
→ 601 queries · 2,140ms total
canonical result hash (sha256):
c7fa••••••••1d09
Rank 03

Safe to ignore for now

noted

A scanner would flag these red. They do not matter yet. Telling you what NOT to spend time on is half the value.

Rank 03noted
Console warnings in development only
why this hurts youNoisy in your terminal, invisible to users, gone in the production build. Not worth a minute right now.
Rank 03noted
Unused Tailwind classes in the bundle
why this hurts youA few kilobytes of dead CSS. A real scanner screams about it. Your users will never feel it. Leave it.

The value is not the list of findings. It is the ranking, and knowing exactly what to do first on Monday morning.

Get this report for your app.

Get your Ship Check, $299 Or run a free Leak Check first