Astro

Security scanning for Astro sites

Astro’s static-first model removes a lot of attack surface (no runtime DB calls in most setups), but the issues that remain — security headers from your host, secrets in client islands, exposed .env in /public/ — still need explicit handling. Scan your Astro site to find the gaps.

Most common issues

  1. 01Missing CSP/HSTS/X-Frame-Options when deployed to Netlify, Vercel, or Cloudflare Pages
  2. 02API keys leaked into client islands when secrets are referenced without import.meta.env (server-only) discipline
  3. 03Exposed .env or /public/-deployed config files leaking from build output

What SafeToShip checks for Astro

  • headers
  • js-secrets
  • exposed-files
  • ssl
  • cors
  • cookies
  • email

FAQ

Frequently asked questions

Are server-rendered Astro pages a security risk?
Same considerations as any SSR app: env vars used in server code must be server-only, CORS must allowlist origins, cookies must be Secure+HttpOnly+SameSite. Use astro:env for type-safe env separation.
How do I add security headers to an Astro site?
Configure them at your hosting layer: netlify.toml [[headers]] for Netlify, _headers file for Cloudflare Pages, vercel.json headers for Vercel, or middleware.ts if running Astro in SSR mode.

Fix guides

Common Astro fixes

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

Read more

Run a Astro security scan

Free. 70+ checks. 60 seconds.