GoForLaunch
Scan coverage

Exactly what a scan checks.

Every GoForLaunch scan runs the deterministic engine across your files, migrations and config — then ranks findings by launch impact. Here's the full surface it inspects, in plain language.

53+ checks14 areasEvidence-based

Secrets & credentials

Keys that should never reach a repo, bundle, or git history.

3
  • SecretsHardcoded API keys, tokens and committed .env files (Stripe, OpenAI, Supabase, AWS, …).
  • Auth SecretsWeak, short or shared JWT/session secrets that defeat signed tokens.
  • CryptoWeak hashing, insecure randomness and predictable token generation.

Authentication & access control

Whether authorization is actually enforced on the server.

4
  • Client-Side AuthAdmin/role checks that live only in client code and are trivially bypassed.
  • Auth BoundaryPrivileged pages and API routes missing a server-side auth gate.
  • IDORRecords fetched by ID without verifying the caller owns them.
  • CSRFState-changing routes without CSRF / same-origin protection.

Multi-tenant data isolation

Keeping one customer's data from leaking into another's.

3
  • Supabase RLSTables without Row Level Security, exposed service roles, unsafe migrations.
  • Storage BucketsPublic or world-readable storage buckets and guessable object URLs.
  • Database`prisma db push` in deploy pipelines and missing migration history.

Injection & input validation

Untrusted input reaching queries, the DOM, or the shell.

8
  • Input ValidationRequest bodies forwarded to writes or providers without schema validation.
  • SQL InjectionString-built SQL and unsafe query interpolation.
  • NoSQL InjectionUnsanitised operators reaching MongoDB-style queries.
  • DOM XSSdangerouslySetInnerHTML / innerHTML fed from user input.
  • Code Executioneval / dynamic require / child-process calls on untrusted data.
  • Path TraversalUser-controlled file paths that can escape their directory.
  • Prototype PollutionUnsafe deep-merge / object assignment from request data.
  • ReDoSCatastrophic-backtracking regexes run on user input.

API hardening & abuse

The surface bots and scripts hammer first.

6
  • Rate LimitsExpensive AI, upload and auth routes with no rate limiting.
  • CORSWildcard origins, especially combined with credentials.
  • SSRFUser-supplied URLs fetched without an allowlist; internal services reachable.
  • Open RedirectRedirects driven by unvalidated user input.
  • Upload LimitsFile uploads without size/type limits.
  • DDoSUnbounded loops / amplification patterns on public endpoints.

Payments & webhooks

The money paths — where bugs cost real revenue.

4
  • Stripe WebhooksUnverified signatures and webhooks parsed before verification.
  • Webhook ReplayMissing idempotency / replay protection on webhook handlers.
  • Business LogicPrices, quantities, plans or trial lengths trusted from the client.
  • BillingCheckout and subscription flows that can be manipulated.

Frontend & browser boundary

What ships to the browser and how it's trusted.

3
  • CookiesMissing HttpOnly / Secure / SameSite on session cookies.
  • API ProtectionPublic endpoints exposing data the UI assumed was protected.
  • LoggingSecrets or personal data written to logs.

AI / LLM specific

Risks unique to AI-built and AI-powered apps.

2
  • LLM SecurityPrompt-injection surfaces and unguarded model/tool access.
  • Rate LimitsUnmetered calls to paid model providers that can run up huge bills.

MCP & agent tool security

The tools your AI agent can discover, call and over-trust.

4
  • MCP SecurityAgent configs that auto-start unpinned MCP packages or shell wrappers.
  • MCP SecurityFilesystem MCP roots that expose home/root directories instead of a narrow project path.
  • MCP SecurityRemote MCP URLs with plain HTTP, committed credentials or third-party proxy trust decisions.
  • MCP SecurityMCP server code with prompt-injection metadata, shell sinks or model-controlled file paths.

SEO & discoverability

Whether your launch can actually be found and shared.

4
  • SEOMissing sitemap and robots.txt (or generated routes).
  • SEOMissing meta description used for search snippets.
  • SEOMissing Open Graph / Twitter card tags and social preview image.
  • SEOMissing canonical URL / metadataBase for absolute, de-duplicated URLs.

Launch readiness

The operational basics a public launch assumes are in place.

6
  • Launch ReadinessSecurity headers (X-Frame-Options, nosniff, Referrer-Policy, …).
  • Launch AssetsCustom 404 / 500 pages and a robots.txt that doesn't block the whole site.
  • ObservabilityError monitoring (Sentry-style) and product analytics presence.
  • Launch ConfigEnv vars read in code but missing from .env.example.
  • Build ConfigRisky build/deploy configuration.
  • ScalabilityPatterns that fall over under launch-day traffic.

Legal & privacy

The pages and data-rights paths regulators and platforms expect.

3
  • Legal PagesPrivacy policy, terms of service and Impressum / legal notice pages.
  • Legal PagesCookie-based trackers loaded without a consent banner (GDPR / ePrivacy).
  • PrivacySelf-serve account deletion and personal-data export paths.

Accessibility

Baseline WCAG / EU Accessibility Act signals a static scan can see.

1
  • AccessibilityImages without alt text and form controls without labels.

Dependencies & supply chain

Risk that comes in through your package list.

2
  • DependenciesKnown-risky or abandoned dependency patterns.
  • ConcurrencyRace conditions in critical read-modify-write paths.

Findings are ranked by launch impact, mapped to cost / tenant-data / revenue risk, and — where it's safe — shipped with a reviewable patch. It's tool-aided guidance, not a substitute for a professional audit.

Run a scan
What a GoForLaunch scan checks | GoForLaunch