probe / sample report

4 things sample-startup.app is leaking to the open internet.

Probe found one critical issue, two high-risk issues, and one medium launch-readiness issue on this sample public surface. The most urgent problem is public source maps, which can expose implementation details that make auth, billing, and data-access mistakes easier to locate.

Scanned URL: https://sample-startup.app

1 critical2 high1 medium

Public source maps expose app internals

CRITICAL

LOCATION

/_next/static/chunks/[redacted].js.map

CATEGORY

hygiene

CWE

CWE-200

EXPLOITABLE

Yes, unauth

WHAT IS HAPPENING

A public source map is reachable from the production app. Source maps can expose original file paths, package names, route names, comments, and implementation clues that should not be part of the public launch surface.

Attackers do not need source code access to learn how the app is organized. Public source maps can make auth, pricing, payment, and data-access mistakes easier to find.

EVIDENCE

evidence.txt

GET/_next/static/chunks/[redacted].js.map200

observed: sources=turbopack:///packages/[redacted]/node_modules/next/dist/...
state: mappings=true; public source map reachable

PROMPT TO FIX THIS

locked-remediation-prompt.txt

Patch the production build and CDN configuration so public .js.map files are not reachable.

Requirements:
- ...
- ...

Acceptance checks:
- ...

OWASP A01:2021 · Broken Access ControlVerify public *.js.map URLs return 404 or require private Sentry upload access only.

Sample only - real verify requires a paid token.

Wildcard CORS on /api/chat

HIGH

LOCATION

POST /api/chat

CATEGORY

api

CWE

CWE-942

EXPLOITABLE

Needs review

WHAT IS HAPPENING

The sample API route returns a broad CORS policy. That tells browsers that responses may be read from outside origins.

If the route ever returns account, billing, or customer context, broad CORS can turn a server-side mistake into a browser-readable data leak.

EVIDENCE

evidence.txt

POST/api/chat200

observed: access-control-allow-origin=*
observed: access-control-allow-credentials=not set

PROMPT TO FIX THIS

locked-remediation-prompt.txt

Patch the API route so browser-readable origins are restricted to approved app origins.

Requirements:
- ...
- ...

Acceptance checks:
- ...

OWASP A05:2021 · Security MisconfigurationVerify sensitive routes no longer return broad Access-Control-Allow-Origin headers.

Sample only - real verify requires a paid token.

Debug health endpoint exposes deployment details

HIGH

LOCATION

GET /api/health

CATEGORY

api

CWE

CWE-209

EXPLOITABLE

Needs review

WHAT IS HAPPENING

The sample health endpoint returns environment and build details to unauthenticated visitors. Health checks should prove the service is alive without exposing internal deployment context.

Public debug metadata gives attackers a cleaner map of the runtime. Framework versions, deployment regions, and feature flags can turn generic scanning into targeted follow-up.

EVIDENCE

evidence.txt

GET/api/health200

observed: environment=production
observed: build=sample-2026.05.19; region=iad1; debug=true

PROMPT TO FIX THIS

locked-remediation-prompt.txt

Patch the health endpoint so public responses disclose only minimal service status.

Requirements:
- ...
- ...

Acceptance checks:
- ...

OWASP A05:2021 · Security MisconfigurationVerify unauthenticated health checks return only minimal status and no runtime metadata.

Sample only - real verify requires a paid token.

Missing browser security headers

MEDIUM

LOCATION

main public document

CATEGORY

headers

CWE

CWE-693

EXPLOITABLE

Needs review

WHAT IS HAPPENING

The main public document is missing common browser security headers.

Headers such as Content-Security-Policy, Strict-Transport-Security, and frame protection reduce blast radius when another bug exists. Missing headers are not usually the first exploit path, but they weaken launch readiness.

EVIDENCE

evidence.txt

GET/200

missing: Content-Security-Policy
missing: Strict-Transport-Security
missing: X-Frame-Options

PROMPT TO FIX THIS

locked-remediation-prompt.txt

Patch the app and hosting configuration so the public document ships baseline browser security headers.

Requirements:
- ...
- ...

Acceptance checks:
- ...

OWASP A05:2021 · Security MisconfigurationVerify curl -I shows the expected browser security headers after deploy.

Sample only - real verify requires a paid token.

Scan your app

Unlock this for your public URL.

Run the free scan first. Unlock the full audit when Probe finds something worth reviewing.

Scan a URL

4 things sample-startup.app is leaking to the open internet.

Public source maps expose app internals

LOCATION

CATEGORY

CWE i

EXPLOITABLE

WHAT IS HAPPENING

EVIDENCE

PROMPT TO FIX THIS

Wildcard CORS on /api/chat

LOCATION

CATEGORY

CWE i

EXPLOITABLE

WHAT IS HAPPENING

EVIDENCE

PROMPT TO FIX THIS

Debug health endpoint exposes deployment details

LOCATION

CATEGORY

CWE i

EXPLOITABLE

WHAT IS HAPPENING

EVIDENCE

PROMPT TO FIX THIS

Missing browser security headers

LOCATION

CATEGORY

CWE i

EXPLOITABLE

WHAT IS HAPPENING

EVIDENCE

PROMPT TO FIX THIS

Unlock this for your public URL.

CWE

CWE

CWE

CWE