Sample Report

See what you
actually get.

This is a redacted example of a VibeSec Pro security assessment report. Real client data has been replaced with fictional examples, but the structure, depth, and format are exactly what you receive with $199/mo VibeSec Pro.

This is a fictional sample. All domains, IPs, and data are examples.
VibeSecAdvisory

Security Assessment Report

Confidential -- Prepared for example-startup.com

Report ID: VBA-2026-0142

Date: March 15, 2026

Assessor: Ryan Macomber

Target Domain

example-startup.com

Scope

External, Non-Invasive

Stack Detected

React + Next.js on Vercel

Overall Grade

C+
1

Executive Summary

The security assessment of example-startup.com reveals a web application with functional SSL/TLS and basic server configuration, but significant gaps in HTTP security headers, CORS policy, and information disclosure controls. The application is built with React and Next.js, deployed on Vercel, and appears to have been developed using AI coding assistants based on observable code patterns.

We identified 7 findings across 4 severity levels. The most critical issues involve a missing Content Security Policy, overly permissive CORS configuration, and exposed source map files that leak source code to anyone with browser developer tools.

0

Critical

2

High

3

Medium

2

Low

2

Detailed Findings

VBA-001

Missing Content Security Policy (CSP)

high

Description

The application does not set a Content-Security-Policy header. Without CSP, the browser allows execution of inline scripts, loading of resources from any origin, and provides no protection against cross-site scripting (XSS) attacks.

Evidence

HTTP/2 200 OK Server: Vercel X-Powered-By: Next.js (no Content-Security-Policy header present)

Business Impact

Attackers can inject malicious scripts via XSS vulnerabilities without any browser-level mitigation. This is particularly concerning for applications with user input fields, third-party integrations, or payment forms.

AI-Ready Remediation Prompt

Add a Content-Security-Policy header to our Next.js application. We're deployed on Vercel. Set a restrictive policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example-startup.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'. Add this to next.config.js headers or vercel.json.
VBA-002

Wildcard CORS Policy

high

Description

The API returns Access-Control-Allow-Origin: * on all endpoints, including authenticated routes. This allows any website to make cross-origin requests to your API, potentially accessing user data or performing actions on behalf of authenticated users.

Evidence

curl -H "Origin: https://evil.com" https://api.example-startup.com/v1/user Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Business Impact

A malicious site can make API requests using a victim's browser session, potentially reading private data or modifying account settings. This is exploitable whenever a user visits an attacker-controlled page while authenticated.

AI-Ready Remediation Prompt

Fix our CORS configuration to restrict allowed origins. Replace the wildcard (*) with our specific frontend domain: https://example-startup.com. In our API route handlers or middleware, check the Origin header and only return Access-Control-Allow-Origin if it matches our allowed domains. Also add Access-Control-Allow-Credentials: true if we use cookies.
VBA-003

Source Map Files Publicly Accessible

medium

Description

JavaScript source map files (.map) are deployed to production and accessible via direct URL. Source maps contain the original, unminified source code including comments, variable names, and application logic.

Evidence

curl https://example-startup.com/_next/static/chunks/main-abc123.js.map (returns full source map with original source code)

Business Impact

Attackers can read your application's source code, understand business logic, find hardcoded API keys or secrets, and identify additional attack vectors that would otherwise require reverse engineering.

AI-Ready Remediation Prompt

Disable source maps in production for our Next.js app. In next.config.js, set productionBrowserSourceMaps: false. Also check that our build process does not generate .map files for production, or add a post-build script to delete any .map files from the output directory.
VBA-004

Missing X-Frame-Options / frame-ancestors

medium

Description

Neither the X-Frame-Options header nor a CSP frame-ancestors directive is set. This allows the application to be embedded in iframes on any domain, enabling clickjacking attacks.

Evidence

HTTP/2 200 OK (no X-Frame-Options header) (no CSP frame-ancestors directive)

Business Impact

An attacker can overlay your application in a hidden iframe on their page, tricking users into clicking buttons or submitting forms they did not intend to. This is especially dangerous for forms that change account settings or initiate payments.

AI-Ready Remediation Prompt

Add X-Frame-Options: DENY header and CSP frame-ancestors 'none' directive to prevent clickjacking. In our Next.js app on Vercel, add these headers to vercel.json or next.config.js headers configuration. Apply to all routes.
VBA-005

Server Version Information Disclosure

medium

Description

HTTP response headers reveal the web framework (Next.js) and server technology (Vercel). While not directly exploitable, this gives attackers specific version information to search for known vulnerabilities.

Evidence

X-Powered-By: Next.js Server: Vercel

Business Impact

Reduces the effort required for targeted attacks. Attackers can search for CVEs specific to your stack version and craft exploits accordingly.

AI-Ready Remediation Prompt

Remove the X-Powered-By header from our Next.js application. In next.config.js, set poweredByHeader: false. This is a one-line configuration change. Also check if Vercel allows suppressing the Server header through vercel.json headers configuration.
VBA-006

Missing Permissions-Policy Header

low

Description

The Permissions-Policy (formerly Feature-Policy) header is not set. This header controls which browser features the application can use, such as camera, microphone, geolocation, and payment APIs.

Evidence

(no Permissions-Policy header present)

Business Impact

Without this header, any injected third-party script could request access to sensitive browser APIs. While the user would still see a permission prompt, the header provides defense-in-depth by disabling unused features entirely.

AI-Ready Remediation Prompt

Add a Permissions-Policy header to restrict browser features we don't use. Set: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(). Add this to our vercel.json or next.config.js headers. Only enable features your application actually needs.
VBA-007

Missing Referrer-Policy Header

low

Description

No Referrer-Policy header is configured. The browser default behavior varies, and some browsers may send the full URL (including query parameters) as the Referer header to external sites.

Evidence

(no Referrer-Policy header present)

Business Impact

If query parameters contain sensitive data (tokens, user IDs, search terms), this data could leak to external sites through the Referer header when users click outbound links.

AI-Ready Remediation Prompt

Add a Referrer-Policy: strict-origin-when-cross-origin header to our application. This sends only the origin (domain) to external sites and the full URL only to same-origin requests. Add to vercel.json or next.config.js headers configuration.
3

Security Headers Analysis

HeaderStatusValue
Strict-Transport-Security PASSmax-age=63072000; includeSubDomains; preload
Content-Security-Policy FAIL(not set)
X-Frame-Options FAIL(not set)
X-Content-Type-Options PASSnosniff
Referrer-Policy MISSING(not set)
Permissions-Policy MISSING(not set)
X-XSS-Protection WARN0 (deprecated, but CSP absent)
Cross-Origin-Opener-Policy PASSsame-origin
Cross-Origin-Resource-Policy MISSING(not set)
4

SSL/TLS Configuration

Certificate ValidYes (Let's Encrypt, expires Aug 2026)
ProtocolTLS 1.3 + TLS 1.2
HSTS EnabledYes, with preload
HTTP to HTTPS RedirectYes (301)
Cipher SuitesModern (AEAD only)
Certificate ChainComplete
OCSP StaplingEnabled
SSL Labs GradeA
5

Infrastructure Fingerprint

Hosting

Vercel (Edge Network)

Framework

Next.js 14.x

CDN

Vercel Edge

DNS Provider

Cloudflare

Analytics

Google Analytics (GA4)

WAF

None detected

6

Prioritized Recommendations

1Implement Content Security Policy~30 minVBA-001high
2Restrict CORS to specific origins~15 minVBA-002high
3Disable production source maps~5 minVBA-003medium
4Add X-Frame-Options and frame-ancestors~10 minVBA-004medium
5Remove X-Powered-By header~5 minVBA-005medium
6Add Permissions-Policy header~10 minVBA-006low
7Add Referrer-Policy header~5 minVBA-007low

Estimated total fix time: ~1.5 hours. Each finding above includes an AI-ready remediation prompt you can paste directly into Cursor, Claude Code, or your preferred AI coding assistant.

Ready to see your own report?

$199/mo. On-demand scans. No calls, no contracts. Submit your domain and get a report exactly like this one -- but for your application.

Every finding includes AI-ready remediation prompts you can paste directly into your coding assistant.

Get Your AssessmentRead the FAQ