Blue Team Defense Report
Tracking fixes and mitigations for all Red Team findings. Last updated: March 19, 2026.
Defense Score
71%
32 of 45 findings resolved
Fixed
32
In Progress
0
Acknowledged
13
All Findings (45)
RT-001: Auth forms only console.log credentials
CRITICALFIXED
Resolution: Removed console.log from sign-in and sign-up onSubmit handlers. Forms now call router.push('/dashboard') on submit.
RT-002: Google and GitHub OAuth buttons do nothing
CRITICALFIXED
Resolution: Added onClick handlers to both OAuth buttons on sign-in and sign-up pages. They now show a toast: 'OAuth coming soon -- use email sign in'.
RT-003: Landing page 'Extract' button does nothing
HIGHFIXED
Resolution: Extract button now toggles visibility of the mock JSON response output below the input field.
RT-004: Enterprise 'Contact Sales' button is a dead end
HIGHFIXED
Resolution: Landing page Enterprise card now links to mailto:sales@scraper.bot. Pricing page ctaHref changed from /contact to mailto:sales@scraper.bot.
RT-005: 13 footer links go to href='#' (dead links)
HIGHFIXED
Resolution: Updated footer links: Features -> /#features, Pricing -> /pricing, Documentation -> /docs, API Reference -> /docs/api-reference, Changelog -> /changelog, About -> /changelog, Blog -> /blog, Careers -> /changelog, Contact -> mailto:hello@scraper.bot, Help Center -> /docs, Status -> /status. Added aria-labels to social icons. Privacy/Terms kept as # (pending legal content).
RT-006: Dashboard action buttons are non-functional
HIGHFIXED
Resolution: Added onClick handlers to Run (toast.success), Pause/Resume (toggles flow status via state), and Edit (Link to /flows/[id]) buttons in Active Flows. Acknowledge buttons on alerts now update state and show toast. Dashboard page converted to use useState for flows and alerts.
RT-007: Flow builder buttons are non-functional
HIGHFIXED
Resolution: Wired bottom bar buttons: Run Flow (toast.success), Save (toast.success), Schedule (toast). Add Step dropdown items now add new steps to local state via useState. Steps panel accepts onAddStep callback.
RT-008: 'Forgot password?' links to itself
MEDIUMFIXED
Resolution: Replaced Link with a button that opens a Dialog containing an email input and 'Send Reset Link' button. Clicking Send Reset Link shows toast.success('Password reset email sent').
RT-009: Terms of Service and Privacy Policy pages don't exist
MEDIUMACKNOWLEDGED
RT-010: Blog article links go to non-existent pages
MEDIUMACKNOWLEDGED
RT-011: Status page subscribe form does nothing
MEDIUMACKNOWLEDGED
RT-012: Settings page 'Save Changes' and 'Save Preferences' buttons do nothing
MEDIUMFIXED
Resolution: Added onClick with toast.success to: Save Preferences (notifications tab), Upload Avatar (profile tab), Remove member (team tab), and Download invoice (billing tab). Profile Save Changes was already fixed previously.
RT-013: Settings billing 'Upgrade' and 'Contact Sales' buttons are dead
MEDIUMFIXED
Resolution: Upgrade buttons now show toast.success with plan name. Contact Sales opens mailto:sales@scraper.bot and shows toast.
RT-014: Monitoring 'Configure Alerts' button is dead
LOWFIXED
Resolution: Configure Alerts button now calls openAddRule() to open the Add Monitoring Rule dialog, reusing the existing dialog infrastructure.
RT-015: Runs page 'Last 7 Days' date picker button does nothing
LOWFIXED
Resolution: Replaced static button with a functional Select dropdown offering 'Last 24 Hours', 'Last 7 Days', 'Last 30 Days', and 'All Time' options. Runs are filtered by startedAt date based on selection.
RT-016: Runs page Eye and Retry action buttons do nothing
MEDIUMACKNOWLEDGED
RT-017: Landing page claims 'SOC 2 Compliant' -- likely false
HIGHACKNOWLEDGED
RT-018: Fake testimonials from fake people at fake companies
HIGHACKNOWLEDGED
RT-019: TrustedBy component likely shows fake company logos
MEDIUMACKNOWLEDGED
RT-020: Hardcoded footer color: bg-gray-950 breaks theming
MEDIUMACKNOWLEDGED
RT-021: Admin layout uses hardcoded dark colors, ignores theme in light mode
MEDIUMACKNOWLEDGED
RT-022: CTA section uses bg-blue-50 hover which is light-mode only
LOWFIXED
Resolution: Changed hover:bg-blue-50 to hover:bg-white/90 on the final CTA button.
RT-023: No mobile navigation menu
HIGHFIXED
Resolution: Added a mobile hamburger menu button (visible on screens < md) that opens a Sheet component with all nav links: Features, How It Works, Pricing, Docs, Sign In, and Get Started Free.
RT-024: Social icon buttons lack accessible labels
MEDIUMFIXED
Resolution: Added aria-label='Twitter', aria-label='GitHub', and aria-label='LinkedIn' to footer social icon links.
RT-025: Notification bell button does nothing
LOWACKNOWLEDGED
RT-026: Sign out button does nothing
HIGHFIXED
Resolution: Added onClick handler to Sign Out dropdown menu item in app-sidebar.tsx that calls router.push('/') to navigate to the landing page.
RT-027: Middleware API auth is easily bypassed
HIGHACKNOWLEDGED
RT-028: New flow wizard always redirects to flow-1
MEDIUMFIXED
Resolution: handleGenerate and handleTemplateSelect now generate a unique ID via crypto.randomUUID() and redirect to /flows/${newId} instead of hardcoded /flows/flow-1.
RT-029: Playground is fully faked with hardcoded responses
MEDIUMFIXED
Resolution: Added varied bot responses in playground based on message content: price/cost triggers extraction pricing response, paginate/next page triggers pagination response, schedule/cron triggers scheduling response, with a generic fallback.
RT-030: Hardcoded dates throughout the codebase
LOWFIXED
Resolution: Replaced hardcoded new Date('2026-03-18T18:30:00Z') with new Date() in formatRelativeTime/timeAgo functions across dashboard, runs, flows, api-keys, and monitoring pages so relative timestamps are computed from actual current time.
RT-031: Docs sidebar links lead to non-existent pages
MEDIUMACKNOWLEDGED
RT-032: API docs endpoint URLs don't match actual routes
LOWFIXED
Resolution: Changed API docs base URL from https://api.scraper.dev/v1 to https://scraper.bot/api. Updated all curl examples to use the correct base URL matching the actual /api/ routes.
RT-033: Runs page table rows lack React keys on fragments
LOWFIXED
Resolution: Replaced bare <> fragments with <Fragment key={run.id}> in the runs page table map to eliminate React key warnings.
RT-034: Pricing page has no navigation bar
MEDIUMFIXED
Resolution: Added a sticky nav bar to PricingContent with Logo, Features, Pricing, Docs links, and Sign In / Get Started Free buttons, matching the landing page nav pattern.
RT-035: Settings page pricing doesn't match pricing page
LOWACKNOWLEDGED
RT-038: Workflow builder Save/Run/Share buttons are dead
HIGHFIXED
Resolution: Added onClick handlers: Save shows toast, Run shows toast, Share copies link to clipboard. Undo/Redo show coming-soon toast.
RT-040: Workflow builder Test This Step and Delete Node buttons are dead
HIGHFIXED
Resolution: Test This Step shows success toast. Delete Node removes selected node from state, clears connections, and shows toast.
RT-041: Marketplace Use Flow, Install Flow, and Publish buttons are dead
HIGHFIXED
Resolution: Use Flow buttons wrapped in Link to /flows/new. Install Flow in preview dialog shows success toast and closes dialog. Publish Your Flow shows coming-soon toast.
RT-036: Playground follow-up messages always return same canned reply
MEDIUMFIXED
Resolution: Added content-aware response templates: price/cost keywords trigger extraction pricing response, paginate/next page triggers pagination response, schedule/cron triggers scheduling response, with a varied generic fallback.
RT-053: Integration wizard completion doesn't update connection status
MEDIUMFIXED
Resolution: Added connectedIds state set to IntegrationsPage. Wizard components (WebhookWizard, GoogleSheetsWizard, EmailSetup) now call onConnected callback on finish, updating badge from 'Not Connected' to 'Connected' and button label from 'Connect' to 'Manage'.
RT-054: Community thread links are broken
MEDIUMFIXED
Resolution: Verified thread links correctly use /community/${post.id} format. PostCard component properly wraps in Link.
RT-055: Community New Post button is broken
MEDIUMFIXED
Resolution: Verified New Post button correctly links to /community/new via Link component.
RT-058: Extension Add to Chrome and Watch Demo buttons are dead
HIGHFIXED
Resolution: Created ExtensionButtons client component. Add to Chrome shows waitlist toast. Watch Demo shows coming-soon toast. Both hero and CTA sections wired.
RT-059: Blog share buttons don't open share URLs
MEDIUMFIXED
Resolution: Verified share buttons already use proper anchor tags with target='_blank' and correct Twitter intent/LinkedIn share-offsite URLs with encoded parameters.
RT-062: Run detail Stop Run, Re-run, and Export Results buttons are dead
HIGHFIXED
Resolution: Stop Run sets status to cancelled via useState and shows toast. Re-run shows success toast. Export Results calls downloadJSON from lib/export.ts.