What a GoForLaunch report looks like
A representative launch-readiness report for a typical Next.js + Supabase + Stripe SaaS. Real scans produce these findings from your code, ranked by launch impact with copy-paste fixes.
Findings
Impact: Every authenticated user can read and write every other tenant's rows. Equivalent to no RLS at all.
Fix: Replace the predicate with `organization_id in (select organization_id from memberships where user_id = auth.uid())`.
Impact: Anyone with read access (or a leaked bundle / git history) can charge cards and read your Stripe account.
Fix: Move it to a server-only env var, rotate the key in the Stripe dashboard, and purge it from git history.
Impact: Sequential ids let one customer read another customer's invoices — a fast path to a compliance incident.
Fix: Scope the query: `where: { id, organizationId: ctx.org }`, or verify ownership before returning.
Impact: Anyone can POST a fake `checkout.session.completed` and unlock paid features for free.
Fix: Verify with `stripe.webhooks.constructEvent(rawBody, sig, secret)` before trusting the event.
Impact: Enables user enumeration and email-bomb abuse against your domain reputation.
Fix: Add an IP + account scoped limiter and return 429 on overflow.
Impact: Slightly widens CSRF surface on state-changing requests.
Fix: Set `SameSite=Lax` (or `Strict`) and `Secure` on the session cookie.
Get a report like this for your codebase in minutes.