Am I Hackable?
← Back to scanner

Case Study: From Grade C to A in 5 Minutes

How we hardened amihackable.dev using our own scanner

Before
6/10
Grade C
6 issues found
After
8.9/10
Grade A
2 minor issues (CDN-controlled)

The Context

We deployed amihackable.dev on Vercel with Next.js. Like most developers, we focused on shipping features fast and forgot about security headers. Our first scan revealed 6 issues and a Grade C from Mozilla Observatory.

What We Found

HIGHMissing Content-Security-PolicyFIXED
MEDIUMMissing clickjacking protection (X-Frame-Options)FIXED
MEDIUMMissing X-Content-Type-OptionsFIXED
LOWMissing Referrer-PolicyFIXED
LOWMissing Permissions-PolicyFIXED
LOWServer header exposed (cloudflare)CDN-controlled

The Fix: 30 Lines of Config

All 5 fixable issues were resolved by adding security headers in vercel.json. No code changes. No dependencies. No server config.

{
  "headers": [{
    "source": "/(.*)",
    "headers": [
      { "key": "Content-Security-Policy",
        "value": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'" },
      { "key": "Strict-Transport-Security",
        "value": "max-age=31536000; includeSubDomains" },
      { "key": "X-Frame-Options",       "value": "DENY" },
      { "key": "X-Content-Type-Options", "value": "nosniff" },
      { "key": "Referrer-Policy",
        "value": "strict-origin-when-cross-origin" },
      { "key": "Permissions-Policy",
        "value": "camera=(), microphone=(), geolocation=()" }
    ]
  }]
}

Timeline

0:00
Ran first scan on amihackable.dev
Score: 6/10, Grade C
0:30
Read the findings and remediation tips
5 missing headers, 1 info disclosure
2:00
Added security headers to vercel.json
30 lines of JSON config
3:00
Pushed to GitHub, Vercel auto-deployed
Build took 27 seconds
4:00
Ran second scan
Score: 8.9/10, Grade A

Your turn

Find out if your app is hackable. Free scan in 60 seconds.

Scan Your Site Now