Security scan
The Business plan includes a weekly security scan of your storefront. It runs headless against your live shop and flags issues you would otherwise only discover when something went wrong.
What gets scanned
Vulnerable JS libraries
We detect known-vulnerable versions of libraries that ship in your storefront bundle, jQuery, Lodash, Moment, Underscore, AngularJS, React, Vue, and others. The detection runs against a regularly-updated signature set sourced from Retire.js and the public CVE feed. We surface the affected file, the library version detected, the CVE, and a one-line remediation.
Leaked secrets
We scan client-side bundles for accidentally-exposed secrets: Stripe live and test keys, AWS access keys, Google API keys, Klaviyo private keys, Mailchimp keys, Sendgrid keys, GitHub tokens, and generic high-entropy strings. If a real secret is found we alert immediately, not on the weekly run.
HTTP security headers
We check the storefront response for:
Content-Security-Policypresence and qualityStrict-Transport-SecurityX-Frame-Options/ frame-ancestorsX-Content-Type-OptionsReferrer-PolicyPermissions-Policy
Supply-chain provenance
We allowlist the domains your storefront loads scripts from on the first scan and alert on any new domain that appears in subsequent scans. New apps that inject scripts, new tag-manager destinations, new analytics providers, all surfaced before they become a breach vector.
Apps weight audit
Each app you have installed gets weighed: how much JS it adds to the storefront, how much it slows first paint, whether it loads on pages where it is not needed. The audit ships with one-line uninstall guidance per app, so you can drop the weight you no longer use.
How alerts work
Critical issues (a leaked Stripe live key, a remote-code-execution CVE) fire immediately to your alert destinations. Lower-severity findings batch into the weekly email report. You can configure per-category severity thresholds in Settings → Security.