vibeAudit Self-Scan Report

We scanned our own app. Full transparency.

April 2026

/ 100

vibeAudit Score (after fixes)

Before fixes: 42/100 → After fixes: 91/100

Findings

Fixed

~60 min

Total Fix Time

Missing Content-Security-Policy Headers

MEDIUM FIXED

No CSP headers on responses. XSS attacks could inject external scripts.

Fix

Added CSP header in security middleware.

Time to fix: 5 minutes

Stack Traces Leaking to Browser

HIGH FIXED

FastAPI debug mode returned full Python tracebacks including file paths, library versions, and internal function names.

Fix

Added production error handler returning generic error messages.

Time to fix: 10 minutes

No Rate Limiting on Scan Endpoint

HIGH FIXED

/api/scan endpoint had no rate limiting. An attacker could hammer it with thousands of requests.

Fix

Added rate limiter (5 scans/minute per IP).

Time to fix: 15 minutes

Session Tokens in URL Parameters

MEDIUM FIXED

Session data passed in query strings, visible in server logs and browser history.

Fix

Moved to httpOnly secure cookies.

Time to fix: 20 minutes

Open Redirect on Payment Success

MEDIUM FIXED

Payment success redirect URL was not validated. Attacker could craft URL redirecting users to phishing site after payment.

Fix

Added URL validation whitelist for redirect destinations.

Time to fix: 10 minutes

Total time to fix all 5 issues: ~60 minutes

Every app has vulnerabilities. Including security tools. The difference is whether you find them before your users do.