Site Security Audit Preview

Site Security Audit Report

Target: myapp.vercel.app Date: 2026-03-28

Next.js Supabase Vercel

Executive Summary: Found 2 critical vulnerabilities (hardcoded API key in bundle, RLS not enabled on 3 tables), 1 high-risk issue (admin endpoint without auth), and missing security headers. Immediate remediation required.

2 Critical 1 High 1 Medium 4 Passed

Critical Findings

C1: Hardcoded Supabase Key in JS Bundle

Location/_next/static/chunks/main-abc123.js

IssueAPI key exposed in frontend bundle: eyJhbGciOi...

ImpactAttacker can access database with anon key permissions

FixMove to Vercel environment variable; inject via middleware

C2: RLS Disabled on 3 Tables

LocationSupabase: users, projects, tasks

IssueRow-level security off; anon key can read/write all rows

ImpactAny user can view/modify other users' data (IDOR)

FixALTER TABLE users ENABLE ROW LEVEL SECURITY; + create policies

High Findings

H1: /api/admin Accessible Without Auth

Location/api/admin/export-users

Evidencecurl .../api/admin/export-users returns 200 with full user list

FixAdd auth middleware; check session + admin role

Passed

HTTPS enforced

Passwords not in API responses

Session cookies HttpOnly

CORS configured correctly

Prioritized Action Plan

TodayRemove hardcoded key from bundle, enable RLS, add auth to /api/admin

This weekDisable source maps in production, add security headers (CSP, HSTS)

This monthRotate exposed keys, add rate limiting, set up dependency scanning in CI

Site Security Audit

Example audit report

Prioritized Action Plan