Your app is live. Make sure its data and secrets are safe.
TaskBounty checks deployed JavaScript and TypeScript apps for confirmed frontend, Supabase, Firebase, API, storage, and transport issues. We can fix what we find and verify the result.
Permission required. Read-only by default. No customer rows downloaded. No changes without approval.
Built for apps shipped with
What we check
Every finding fires only on a real, verifiable pattern, so the report is high signal and low noise. If something cannot be confirmed, we say so instead of guessing.
Secrets in the frontend
- Supabase service_role or sb_secret keys shipped to the browser
- Stripe, OpenAI, Anthropic, AWS, Google, GitHub and other secret keys
- Private key blocks and tokens in JS bundles and config
Supabase and Firebase
- Live row-level-security check: which tables your public key can read
- Public Storage buckets and anon-callable database functions
- Open Firebase Realtime Database and Firestore-in-use advisory
- Optional, separately approved write test
API exposure
- Public GraphQL introspection on your own backend
- Public OpenAPI or Swagger schemas
- Config endpoints scanned for real secrets
Exposed files
- .env files, .git directory, .npmrc, package.json and lockfiles
- Public source maps that expose your original source
Transport and headers
- HTTPS enforcement and TLS certificate health
- Security headers and cookie flags (HttpOnly, Secure, SameSite)
- Dangerous CORS and mixed content
How authorization works
We only scan apps we are explicitly authorized to scan, and we keep a record of that authorization.
Call and approval
We agree on the app, the scope, and what is in and out of bounds. You approve the scan, in writing or on a call.
Recorded scope
We record who approved it, their role, the channel and time, the approved scan mode, and any excluded routes or environments.
Read-only scan
We scan only what a browser already downloads and verify access from the outside. No rows are downloaded. The write test stays separately permissioned.
Eliott reviews
Every finding is checked by a human before it leaves the building. No raw scanner output is sent to you or anyone else.
Private report
You get a clean, customer-safe report with what is exposed, why it matters, and how to fix it.
A sample report
An anonymized example of what you receive. Plain English, no raw output.
App Safety Report
example-app.lovable.app
- Database access. Row-level security off on 3 tables: users, orders, messages
- Secret in frontend. A Supabase service_role key was shipped in the JS bundle
- HTTPS. Enforced, valid certificate
- Exposed files. No .env, .git, or source maps reachable
- Security headers. CSP, HSTS, and nosniff present
Prepared by Eliott, TaskBounty. Sample, anonymized. Real reports include exact fix steps.
From finding to verified fix
Approved report
You review the findings and approve what we fix.
We fix it
We close the confirmed issues: row-level security, secrets out of the frontend, headers, cookie flags, open buckets.
We re-scan
We re-run the affected checks to confirm each issue is actually resolved.
Before and after
You get a before-and-after report you can keep and share.
Fix it once, or keep it safe all year
Pay only to fix real, confirmed problems. The annual plan is the best value and keeps you covered after every release.
Each hardening price covers only the confirmed findings in the agreed report. New features, architecture changes, incident response, compliance work, and unrelated defects are quoted separately.
What this is not
- A full penetration test. We do not exploit, pivot, or test business logic and authentication flows by hand.
- A compliance certification. We do not issue SOC 2, ISO, HIPAA, or PCI attestations.
- An incident-response retainer. If you are actively breached, contact a specialist.
- A guarantee that every possible vulnerability will be found. We report confirmed, verifiable issues only.
Questions
What data can you access during a scan?
Only what a browser already downloads, plus outside-in checks that use counts, never your actual rows. We never log in, never download your data, and never run anything inside your app.
Do you ever write to my database?
Only if you separately approve the write test. It attempts an empty insert to prove whether writes are blocked; it does not create real data, and in the rare case a row is created it is deleted. The general scan never writes.
How often do you scan if I am on monitoring?
Weekly scheduled scans, plus a re-scan after a major release when you ask for one. You get a regression alert the moment something changes and a clean monthly report.
Can I cancel monitoring?
Yes. Monthly monitoring can be cancelled any time. The annual plan is paid once and covers a full year.
What exactly does a hardening price cover?
Each hardening price covers only the confirmed findings in the agreed report. New features, architecture changes, incident response, compliance work, and unrelated defects are quoted separately.
Review your scan or request one
If we have already scanned your app with your approval, reply and we will walk you through the findings. If you want a new scan, paste your URL and confirm you control the app.
Prefer email? Reach Eliott directly at eliott@gettaskbounty.com.