Client context
Puppyarazzi.com is a public grooming brand site reviewed with VibeLeak before trust cleanup and recheck.
Starting scan
The starting scan returned Grade C at 63/100. VibeLeak found one high-priority CORS issue, multiple missing browser guardrails, and a missing security disclosure route.
Severity mix
Top priority
Restrict wildcard CORS first, then close the browser header baseline before the next public recheck.
Open saved scanWhat VibeLeak found
The findings below are copied into public-safe language from the exported report and kept in the original severity order.
Wildcard CORS origin
The server returned Access-Control-Allow-Origin: *, which allowed any origin to make cross-origin requests.
Evidence
access-control-allow-origin: *
Fix path
The remediation path was to replace the wildcard with trusted origins and avoid combining wildcard CORS with credentials.
Missing frame protection
The scan did not detect X-Frame-Options or a CSP frame-ancestors directive, leaving a meaningful clickjacking signal.
Evidence
No X-Frame-Options header and no frame-ancestors directive were detected.
Fix path
The remediation path was to add SAMEORIGIN frame protection or enforce the same boundary through CSP.
Missing Content Security Policy
No Content-Security-Policy header was detected, weakening protection against script injection and untrusted resources.
Evidence
The scanned response did not include a Content-Security-Policy header.
Fix path
The remediation path was to introduce a baseline CSP and tighten it around the site assets without breaking embeds or analytics.
Missing Referrer-Policy
Without a Referrer-Policy, full URLs can leak to third-party destinations through the Referer header.
Evidence
The scanned response did not include a Referrer-Policy header.
Fix path
The remediation path was to add strict-origin-when-cross-origin as the public response baseline.
Missing security disclosure policy
The scan did not find a valid /.well-known/security.txt file with a Contact field.
Evidence
/.well-known/security.txt was not found with a Contact field.
Fix path
The remediation path was to publish security.txt with a real monitored contact and a future expiry.
Missing MIME sniffing guardrail
The response did not include X-Content-Type-Options, so browsers could MIME-sniff content in unsafe ways.
Evidence
The scanned response did not include X-Content-Type-Options.
Fix path
The remediation path was to add X-Content-Type-Options: nosniff to the public response.
What was addressed
CORS exposure reduced
The high-severity wildcard CORS finding was handled first because it affects browser-visible access control.
Browser guardrails completed
The header pass focused on frame protection, CSP, Referrer-Policy, and MIME sniffing controls surfaced by TrustScan.
Disclosure route standardized
The missing security.txt route was closed so responsible disclosure and automated trust review had a stable public signal.
Final outcome
Puppyarazzi finished at Grade S. The recorded VibeSignal movement was 48 to 66, an 18 point improvement after cleanup and recheck.
Start grade
C at 63/100
Final grade
S
VibeSignal
+18 points
Source reference
Saved VibeLeak scan
Generated UTC 2026-05-25T16:17:33.785Z. Public page copy uses the report findings without exposing private remediation notes.