Included in Launch Readiness Assessment

5 Expert-Only Manual Checks

These checks require human judgment — the scanner can't detect them. They're included in every Launch Readiness Assessment ($295).

Why can't the scanner detect these?

The free scan runs 34 automated checks using static code analysis — pattern matching on your source code. These 5 checks require understanding business context: which billing events matter for your specific model, what data is sensitive in your domain, how admin provisioning flows work in practice, and what's configured in external dashboards (not in code).

MAN-01Critical10–15 min

Ownership & authorization on sensitive data access

Can a logged-in user read or modify another user's data by guessing or iterating record IDs? (IDOR — Insecure Direct Object Reference)

Why the scanner can't detect this

The scanner sees that a route is protected by auth middleware. But it can't understand ownership semantics — it can't determine whether a query like .eq('id', recordId) also has the right .eq('user_id', currentUserId) filter. That requires understanding the business model.

PASS:All checked routes have server-side ownership verification.

FAIL:At least one route accesses records by ID without user ownership check.

MAN-02Critical5–10 min

Billing event coverage review

Are all business-critical billing state transitions covered? Not just whether a webhook handler exists, but whether it handles the right events for your specific billing model.

Why the scanner can't detect this

The scanner checks webhook existence and signature verification (BIL-02, BIL-03). It can't know which events are critical for your specific business — subscriptions need different events than one-time payments or credit systems.

PASS:All business-critical events for your billing model have handlers with actual business actions.

FAIL:Missing handler for a critical event, or handler only logs without taking action.

MAN-03Important10 min

Sensitive response exposure review

Do API routes return more data than necessary? Do responses include sensitive fields the client doesn't need — like password_hash, admin_flag, stripe_customer_id, or internal IDs?

Why the scanner can't detect this

A heuristic like detecting select('*') can be automated. But determining what's 'sensitive' in a given business context requires expert judgment — user_id is sensitive in one context, normal in another.

PASS:Responses don't contain sensitive fields beyond what the client needs.

FAIL:Response contains sensitive fields (admin flags, payment data, internal IDs, credentials) the client doesn't need.

MAN-04Important5–8 min

Supabase project security settings

Is the Supabase project properly configured in the dashboard? Email confirmation, JWT expiry, auth providers, SMTP settings — these live in the dashboard, not in code.

Why the scanner can't detect this

These settings live exclusively in the Supabase dashboard / Management API — they're not in your codebase, so the scanner can't check them.

PASS:Critical settings match production best practices for your app type.

FAIL:Email confirmation disabled, JWT expiry set to 1 year, or Supabase default SMTP used in production.

MAN-05Critical8–12 min

Admin provisioning & privilege escalation review

How does a user become an admin? Is the process safe, auditable, and resistant to self-escalation? Can a regular user make themselves admin?

Why the scanner can't detect this

The scanner checks admin route protection (ADM-01, ADM-02) and hardcoded credentials (ADM-11). It can't understand the provisioning workflow — 'how does an admin get created in the first place?' requires tracing the entire flow.

PASS:Admin provisioning requires an existing admin, self-escalation is impossible, initial setup is secure.

FAIL:Self-escalation possible, unprotected setup route, or role change without authorization.

manual checks

~45 min

expert review time

3 P0

critical checks

Get the full picture — automated + manual.

34 automated checks + 5 expert-only manual checks + 3 PDF reports. $295, delivered in 48h.

Request Launch Readiness Assessment

Run Free Scan First

Limited-scope assessment. Not a certification.