How to Read Your SimplyScan Security Report
Your scan is complete. Here's how to understand your security score, prioritize findings, and fix vulnerabilities using the report.
By Daniel A · Kraftwire Software
· 8 min readUnderstanding Your SimplyScan Report
You ran a scan. You got a report. Now you are looking at findings, severity levels, categories, and recommendations, and you are not sure what to tackle first or what some of it means.
This guide walks you through every section of a SimplyScan security report so you can understand what was checked, what was found, and exactly what to do about it.
The Security Score
At the top of your report is a score from 0 to 100. This gives you a quick sense of your application's overall security posture.
What the Score Means
**90-100:** Your app has strong security fundamentals. Any remaining findings are typically informational or low severity. You are ahead of most AI-built applications.
**70-89:** Good baseline security with some gaps to address. Most findings at this level are medium severity, things that should be fixed but are not immediately exploitable.
**50-69:** Significant security issues that need attention before your app handles real user data. You likely have at least one high-severity finding.
**Below 50:** Critical vulnerabilities present. Your app has issues that could be exploited right now. Prioritize the critical and high findings immediately.
How the Score Is Calculated
The score starts at 100 and deducts points based on the severity and number of findings. Critical findings deduct the most points, followed by high, medium, and low. A single critical finding can drop your score by 15-25 points because it represents an immediately exploitable vulnerability.
**Important:** The score is a guide, not a guarantee. A score of 95 does not mean your app is unhackable. It means SimplyScan did not find significant issues in the areas it checked. Security is a continuous process, not a destination.
Categories
SimplyScan organizes checks into categories. The free scan covers 3 core categories. The Pro scan covers all 14 categories with 51+ individual checks.
Free Scan Categories
**Secrets:** Checks for exposed API keys, tokens, and credentials in your frontend code and network requests. This is the highest-impact category because a single exposed secret can compromise your entire application or generate thousands of dollars in unauthorized charges.
**Frontend:** Checks for client-side security issues including missing security headers, insecure content rendering patterns, and client-side data exposure. These issues affect every user who visits your application.
**Supabase:** If your app uses Supabase, this category checks for common Supabase misconfigurations like exposed service role keys, missing RLS policies, and insecure auth settings.
Pro Scan Categories
The Pro scan adds 11 additional categories:
**Authentication** checks login flows, session management, and password policies
**Authorization** checks access control, role enforcement, and data scoping
**Injection** checks for SQL injection, XSS, and command injection patterns
**CSRF** checks for cross-site request forgery protections
**Performance** checks for security-relevant performance issues like blocking I/O and unbounded queries
**Dependencies** checks for known vulnerabilities in your npm packages
**Infrastructure** checks deployment configuration and hosting security
**AI Security** checks for prompt injection vulnerabilities and exposed AI API keys
**Architecture** checks for structural security issues like client-side security reliance
**Storage** checks file upload handling and storage security
**API** checks endpoint protection, rate limiting, and input validation
Severity Levels
Each finding has a severity level that tells you how urgent it is.
Critical
These findings represent vulnerabilities that can be exploited right now with minimal effort. Critical findings include:
Exposed secret API keys (Stripe secret key, service role key, OpenAI key)
Database connection strings in frontend code
Authentication bypass vulnerabilities
Exposed admin endpoints without access control
**What to do:** Fix critical findings immediately. Do not wait. If you find an exposed API key, revoke it and rotate it before doing anything else. Every minute a critical vulnerability exists is a minute an attacker could exploit it.
High
High-severity findings are serious vulnerabilities that require some knowledge or effort to exploit. They include:
Missing Row-Level Security on database tables
Missing authentication on sensitive API endpoints
Hardcoded credentials in configuration files
Cross-site scripting (XSS) vulnerabilities
**What to do:** Fix high findings within 24-48 hours. These are not as immediately dangerous as critical findings, but they represent real attack vectors that a motivated attacker would find and exploit.
Medium
Medium findings are security weaknesses that make your application less secure but are harder to exploit on their own. They include:
Missing security headers (CSP, HSTS, X-Frame-Options)
Missing rate limiting on authentication endpoints
Insecure cookie configuration (missing HttpOnly or Secure flags)
Verbose error messages that leak implementation details
**What to do:** Plan to fix medium findings within a week or two. They are often quick fixes (adding a header, changing a configuration) that significantly improve your security posture.
Low
Low-severity findings are informational items or minor issues that represent best practice recommendations. They include:
Suboptimal security header values
Minor configuration improvements
Performance-related security suggestions
Informational notices about your tech stack
**What to do:** Address these when you have time. They improve your overall security posture but are unlikely to be directly exploitable on their own.
Reading Individual Findings
Each finding in your report contains several pieces of information.
Finding Title
A short description of what was found, like "Exposed OpenAI API Key in Client Bundle" or "Missing Content-Security-Policy Header."
Description
A detailed explanation of what the issue is, why it matters, and what an attacker could do with it. This section helps you understand the real-world impact of the finding.
Location
Where the issue was found. For frontend issues, this might be a specific JavaScript file or network request. For header issues, it identifies which headers are missing or misconfigured.
Recommendation
Specific, actionable steps to fix the issue. This is not generic advice. It tells you exactly what to change, often with code examples or configuration snippets.
Prioritizing Fixes
When your report has multiple findings, here is the order to tackle them:
Priority 1: Exposed Secrets (Fix Now)
Any exposed API key, token, or credential needs to be revoked and rotated immediately. This is the one category where you should stop everything else and fix it right away. See our [guide on fixing exposed API keys](/blog/fix-exposed-api-keys) for a step-by-step process.
Priority 2: Authentication and Authorization (Fix This Week)
Missing authentication or broken authorization means unauthorized users can access data or features they should not. Fix these before your app handles real user data.
Priority 3: Injection and XSS (Fix This Week)
Injection vulnerabilities allow attackers to execute arbitrary code or queries. XSS vulnerabilities let attackers run scripts in other users' browsers. Both are high-impact and should be addressed quickly.
Priority 4: Security Headers and Configuration (Fix Soon)
Missing headers and insecure configurations are important but less urgent. They improve your defense-in-depth posture and prevent specific attack types.
Priority 5: Performance and Best Practices (Fix When Possible)
Performance-related security issues and best practice recommendations improve your overall security but are the lowest priority among actual findings.
Free vs Pro Report Differences
Free Report
Covers 3 categories (Secrets, Frontend, Supabase)
Shows critical and high findings in full detail
Provides actionable recommendations for every finding
Good for a quick security health check
Pro Report
Covers all 14 categories with 51+ checks
Deeper analysis of each category
Includes authentication, authorization, injection, CSRF, and more
Shows the complete picture of your application security
Includes a downloadable PDF report for compliance and documentation
After Fixing: Rescan
Once you have fixed the findings in your report, run another scan to verify the fixes are working. Rescanning confirms that:
The exposed key is no longer visible (you revoked it and moved it server-side)
Security headers are properly configured
Authentication is enforced on protected routes
RLS policies are active and blocking unauthorized access
Some fixes require a new deployment before they take effect. Make sure your changes are deployed before rescanning.
Key Takeaways
Your SimplyScan report is a prioritized action list. Start with critical findings, work through high and medium, and address low findings when time permits.
The most important thing is to act on what you find. A security report sitting unread does nothing for your security. Even fixing just the critical and high findings puts you ahead of the majority of AI-built applications.
[Run your free scan now](/)
Related Guides
[How to Fix Exposed API Keys in 5 Minutes](/blog/fix-exposed-api-keys)
[Free vs Pro Scan Comparison](/blog/free-vs-pro-scan-comparison)
[Security Audit Checklist](/blog/security-audit-checklist)
[Supabase Security Checklist](/blog/supabase-security-checklist)