Read the submitted page
DNS is pinned to a public address. Redirects are revalidated. Response size and time are capped.
Evidence before launch
Scan the public surface for risky defaults, exposed credentials, and missing browser defenses before users arrive.
Public-surface scan
How it works
LaunchLint is intentionally non-invasive. It checks what any visitor can download, then maps each result to a maintained remediation rule.
DNS is pinned to a public address. Redirects are revalidated. Response size and time are capped.
The page and up to five same-origin scripts are checked without executing JavaScript or probing endpoints.
Every result includes masked evidence, remediation, acceptance criteria, and a copy-ready coding-agent prompt.
Inspection scope
Public client identifiers are not mislabeled as secrets. Unsupported claims are left out of the report.
CSP, frame protection, MIME sniffing, referrer and capability policies.
Secure, HttpOnly, and SameSite flags on cookies visible in the response.
High-confidence production credential formats with masked evidence.
Public source map references in same-origin production JavaScript.
HSTS, mixed content, and password forms posting over HTTP.
Deterministic repair packs for detected frameworks and hosting platforms.
Report evidence
The free scan shows priority issues. The complete report adds full remediation, passed checks, and stack-aware agent instructions.
Read the AI-built app security checklistInjected scripts and unexpected third-party resources have fewer browser-level restrictions.
No Content-Security-Policy header was returned.Add the policy through the headers() function in next.config.ts, preserve existing directives, then run lint, tests, and a production build.
Founding price
No subscription is required for the initial launch report.
Questions
LaunchLint reads the public response for the URL you submit and up to five same-origin JavaScript files referenced by that page. It checks browser security headers, cookie flags, mixed content, source maps, and a small set of high-confidence secret formats.
No. LaunchLint does not sign in, submit forms, enumerate endpoints, probe databases, or attempt an exploit. It is a public-surface launch preflight, not a penetration test.
No. The scanner and remediation library are deterministic. LaunchLint does not send the inspected response, suspected secrets, or report content to a large language model.
No. Public client identifiers are not reported as secrets. LaunchLint reports only supported high-confidence formats such as a Supabase service-role token or a production secret key.
The one-time Launch Report includes every finding, every passed check, masked evidence, stack-aware remediation, and copy-ready instructions for coding agents. It is formatted for printing or saving as PDF.
No. The score summarizes only the checks LaunchLint performed on the public surface. Business-logic flaws, authenticated features, infrastructure, dependencies, and private services require additional review.