Security · Next.js + Supabase · 30 deep checks

Audit your Next.js
before your auditor
does it for you.

Thirty production-grade checks across headers, RLS, supply chain, CI, and secrets. A weighted 0–100 score with severity-graded findings. A downloadable PDF. In under 30 seconds — from someone who's watched these fail from inside the bank.

Start audit How it works
Checks
30
Runtime
~30s
Output
PDF + JSON
Sign-up
None
How it works

Three steps. Under a minute. No setup required.

01

Paste a public repo URL

Any public GitHub repo. No login. No install. No GitHub App to approve.

02

We run 10 checks via the git tree API

Headers, RLS, SECURITY DEFINER, dependency pinning, CI, Dependabot, dangerous HTML. ~30 seconds.

03

Get a score, a verdict, and a PDF

0–100 weighted score. A–F grade. PASS/WARN/FAIL per check. Downloadable report.

Coverage · 33 checks

Every check I actually run against my own SaaS work — exposed.

Each finding has a severity weight (CRITICAL → INFO). Each result tells you why it matters and how to fix it. No false-positive spam from a heavy SAST tool.

Next.js Headers
9 checks · CRITICAL → LOW
  • ·Content-Security-Policy header
  • ·CSP quality (no unsafe-inline/eval/wildcard)
  • ·Strict-Transport-Security header
  • ·HSTS quality (max-age ≥ 1y, includeSubDomains, preload)
  • ·X-Content-Type-Options: nosniff
  • ·X-Frame-Options or frame-ancestors
  • ·Referrer-Policy strict
  • ·Permissions-Policy restrictive
  • ·X-Powered-By disabled
React & Code Quality
6 checks · CRITICAL → LOW
  • ·.env files in .gitignore
  • ·No console.log in app/
  • ·No dangerouslySetInnerHTML
  • ·No eval() / new Function()
  • ·target=_blank with rel=noopener noreferrer
  • ·No tokens/secrets in localStorage
Supabase & RLS
6 checks · CRITICAL → MEDIUM
  • ·RLS enabled on user-facing tables
  • ·RLS policies exist (not just ENABLE)
  • ·No permissive policies (USING true / role='authenticated')
  • ·SECURITY DEFINER + REVOKE EXECUTE
  • ·SECURITY DEFINER + explicit search_path
  • ·service_role key not in client code
Supply Chain
4 checks · HIGH → MEDIUM
  • ·No wildcard versions in package.json
  • ·Lockfile committed (pnpm/npm/yarn/bun)
  • ·node_modules in .gitignore
  • ·No suspicious postinstall scripts
CI / DevOps
4 checks · MEDIUM → LOW
  • ·Dependabot or Renovate configured
  • ·CI workflow present
  • ·GitHub Actions pinned by SHA
  • ·SECURITY.md disclosure policy
Secrets & Docs
4 checks · CRITICAL → INFO
  • ·NEXT_PUBLIC_ vars don't contain secrets
  • ·.env.example with placeholders only
  • ·LICENSE file present
  • ·README with basic structure
Audit

Run a real audit now. 30 checks, ~30 seconds, no sign-up.

FAQ

Questions, answered.

01Is this safe to run on my private repo?+
No — only public repos. nextcheck uses the GitHub public REST and git tree APIs without auth (unless you set GITHUB_TOKEN for higher rate limits). For private repos, clone locally and run the same checks yourself.
02How is the score calculated?+
Weighted: PASS = 10 points, WARN = 5 points, FAIL = 0 points. Normalized to 100. Grade: A (90+), B (75+), C (60+), D (40+), F (below).
03Do you store the audit results?+
Not yet. v0.3 runs entirely in-flight and renders results on your screen. Persistence (shareable audit URLs, history) is planned for v0.4.
04Why these ten checks specifically?+
These are the ones I see fail most often in production SaaS work — and the cheapest to verify from outside the codebase. I'd rather ten checks done well than thirty with false positives.
05Can I contribute new checks?+
Yes. Open an issue or PR at github.com/kvragg/nextcheck. Each check is a single function in lib/checks/ — easy to add.

Audit your repo. Free, public, in under a minute.

If you find FAIL items you want help fixing — I do this for SaaS founders. Otherwise: keep shipping.

Run an audit nowHire me