Every check Heimdall runs, explained.

Exposed API keys and secrets in your code

An exposed API key is any credential, like a Stripe secret key, an OpenAI token, or a database password, that ends up committed to your source code instead of staying in an environment variable. It is the single most common security mistake in vibe-coded projects, and also the most expensive one.

Committed .env files and missing .gitignore rules

Your .env file usually holds every password, database URL, and API key your app needs. Committing it to GitHub, even briefly, exposes all of those at once. This check looks for an exposed .env in your repo and verifies that your .gitignore actively protects future ones.

Plain text and weakly hashed passwords

If your app stores passwords directly, those passwords have to be hashed with a slow, salted algorithm before they touch the database. MD5 and SHA1 do not count. Plain text definitely does not count.

CORS wildcard origins and request security

CORS controls which websites are allowed to call your API from a browser. If your server returns Access-Control-Allow-Origin: *, any site on the internet can send authenticated requests to your endpoints. That is almost never what you actually want.

Missing HTTPS redirects and HSTS headers

Getting an HTTPS certificate is now a default on hosts like Vercel and Netlify. Forcing every visitor onto HTTPS, and telling browsers to refuse the plain HTTP version on future visits, is a separate step that often gets skipped.

Broken access control and IDOR vulnerabilities

Broken access control, often called IDOR (insecure direct object reference), is the single most exploited class of web vulnerability today. It happens when an API route accepts a resource ID from the request and acts on it without checking that the requesting user owns the resource.

Missing rate limiting on sensitive API routes

Rate limiting controls how often a single user, IP, or API key can hit a route. It is the difference between a single failed login attempt and ten thousand per second. Without it, the cheapest attack on your app is also the most damaging.

Sensitive routes without authentication checks

Authentication and authorization are two different things. Auth checks that a user is logged in. Authorization checks that the logged-in user is allowed to do this specific action. This check covers the first one: any sensitive route that is reachable without being logged in at all.

Unvalidated API input on write routes

Every API route that accepts data needs to know exactly what shape that data should take, and reject anything that does not match. Without that check, attackers can send extra fields, wrong types, or oversized payloads that the route was never designed to handle.

Stripe webhook signature verification

Stripe webhooks are how your app learns that a payment succeeded, a subscription was canceled, or a refund went through. If the endpoint does not verify the signature on incoming requests, anyone can fake those events and unlock paid features without paying.

Missing or incomplete privacy policy

A privacy policy explains what data your app collects, how you use it, and how users can see or delete it. It is not optional for any app that takes signups, uses analytics, or accepts payments.

Missing terms of service or user agreement

A terms of service document, sometimes called a user agreement or terms of use, is the contract between your app and its users. It defines what they can do, what you owe them, and what happens when something breaks.

Missing cookie consent banner for GDPR

GDPR requires explicit consent before setting non-essential cookies (analytics, advertising, A/B testing) for users in the EU. A cookie banner is the standard way to capture that consent, and most analytics and ad platforms will refuse to fire without one.

Missing error monitoring in production

Error monitoring captures unhandled exceptions, failed requests, and slow performance in production and routes them to a dashboard you can actually look at. Without it, the first time you hear about a bug is from a user, and only if they bother to email.

Missing product analytics

Product analytics tracks what users actually do inside your app. Which buttons they click, which pages they spend time on, where they bail. Without it, every product decision is a guess.

Missing database indexes on common lookup fields

An index is a precomputed lookup table that lets the database find rows by a specific column in milliseconds instead of scanning the whole table. Forgetting one is invisible at 10 users and crippling at 10,000.

Missing SEO and social sharing basics

Even a great product is hard to find without the basics of search engine and social media metadata. A missing sitemap keeps you out of Google. A missing OG image makes every shared link look broken.