Evidence before launch

Security preflight for AI-built apps.

Scan the public surface for risky defaults, exposed credentials, and missing browser defenses before users arrive.

Deterministic checks. No model API. No exploit attempts.

Public-surface scan

Check the app you are about to ship.

Only the submitted page and up to five same-origin scripts are read. No exploit attempts.

Security headersCookie flagsPublic secretsSource mapsMixed content

How it works

A narrow scan with a clear evidence trail.

LaunchLint is intentionally non-invasive. It checks what any visitor can download, then maps each result to a maintained remediation rule.

Read the submitted page

DNS is pinned to a public address. Redirects are revalidated. Response size and time are capped.

Evaluate deterministic rules

The page and up to five same-origin scripts are checked without executing JavaScript or probing endpoints.

Return fixes that can be verified

Every result includes masked evidence, remediation, acceptance criteria, and a copy-ready coding-agent prompt.

Inspection scope

Checks selected for common launch mistakes.

Public client identifiers are not mislabeled as secrets. Unsupported claims are left out of the report.

Browser defenses

CSP, frame protection, MIME sniffing, referrer and capability policies.

Session cookies

Secure, HttpOnly, and SameSite flags on cookies visible in the response.

Public secrets

High-confidence production credential formats with masked evidence.

Bundle exposure

Public source map references in same-origin production JavaScript.

Secure transport

HSTS, mixed content, and password forms posting over HTTP.

Stack-aware fixes

Deterministic repair packs for detected frameworks and hosting platforms.

Report evidence

A finding should tell you what changed next.

The free scan shows priority issues. The complete report adds full remediation, passed checks, and stack-aware agent instructions.

Read the AI-built app security checklist
Highheaders

Content Security Policy is missing

Injected scripts and unexpected third-party resources have fewer browser-level restrictions.

No Content-Security-Policy header was returned.
Next.js fix pack

Add the policy through the headers() function in next.config.ts, preserve existing directives, then run lint, tests, and a production build.

Founding price

One complete report. One payment.

No subscription is required for the initial launch report.

$19USD, one time
  • Every finding and passed check
  • Masked evidence and exact remediation
  • Coding-agent prompts and print layout
Scan before you ship

Questions

Know what the report can and cannot prove.

What does LaunchLint scan?

LaunchLint reads the public response for the URL you submit and up to five same-origin JavaScript files referenced by that page. It checks browser security headers, cookie flags, mixed content, source maps, and a small set of high-confidence secret formats.

Does LaunchLint test private APIs or databases?

No. LaunchLint does not sign in, submit forms, enumerate endpoints, probe databases, or attempt an exploit. It is a public-surface launch preflight, not a penetration test.

Do you send my app to an AI model?

No. The scanner and remediation library are deterministic. LaunchLint does not send the inspected response, suspected secrets, or report content to a large language model.

Are Supabase anon keys and Firebase config treated as secrets?

No. Public client identifiers are not reported as secrets. LaunchLint reports only supported high-confidence formats such as a Supabase service-role token or a production secret key.

What is included in the paid report?

The one-time Launch Report includes every finding, every passed check, masked evidence, stack-aware remediation, and copy-ready instructions for coding agents. It is formatted for printing or saving as PDF.

Does a high score mean my app is secure?

No. The score summarizes only the checks LaunchLint performed on the public surface. Business-logic flaws, authenticated features, infrastructure, dependencies, and private services require additional review.