The latest articles on DEV Community by Mustafa Salim Erek (@mustafa_salimerek_c95e3e). https://dev.to/mustafa_salimerek_c95e3e https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4005470%2Fc1e27672-a5b3-4c04-b4d4-20b8290adfbc.png https://dev.to/mustafa_salimerek_c95e3e en Mustafa Salim Erek Sat, 27 Jun 2026 14:15:36 +0000 https://dev.to/mustafa_salimerek_c95e3e/catch-the-boring-launch-killers-leaked-keys-missing-privacy-policy-ai-disclosure-from-inside-49ji https://dev.to/mustafa_salimerek_c95e3e/catch-the-boring-launch-killers-leaked-keys-missing-privacy-policy-ai-disclosure-from-inside-49ji <p>Every time I'm about to ship something, the same boring things bite me. Not the features — the unglamorous stuff: a key that ended up in a frontend bundle, an app with an AI chat and no disclosure, a landing page with no privacy policy two days before an EU launch.</p> <p>None of it is hard. It's just easy to forget, and the cost of forgetting is real: an App Store rejection, a GDPR complaint, a leaked credential someone finds in your main.js.</p> <p>So I made myself a checklist. Then I got tired of running it by hand and built it into the tool I already live in — my AI coding agent. This post is that checklist (useful on its own), plus how I wired it into Claude Code with MCP.</p> <h2> The boring stuff that actually gets you </h2> <p>Secrets in your frontend — bundlers inline that "just for now" API key; grep your deployed main.[hash].js for sk-, AKIA, sk_live_.<br> Exposed .env / .git — a lot of deploys serve /.env or /.git/config with a 200.<br> Security headers — missing CSP, X-Frame-Options, HSTS, X-Content-Type-Options.<br> Privacy policy &amp; terms — stores require them; GDPR effectively does too.<br> AI disclosure — EU AI Act Art. 50, CA SB 243, Apple 5.1.2 if your app talks with AI.<br> Trackers &amp; cookie consent — a pixel with no consent path is the classic miss.</p> <h2> Why I put it in my AI coding tool — MCP lets AI clients (Claude Code, Codex, Gemini CLI, Cursor) call external tools, so "scan my app" becomes something you can just say. </h2> <h2> 60-second setup </h2> <p>claude mcp add --transport http launchtrust <a href="https://mcp.launchtrust.co/mcp" rel="noopener noreferrer">https://mcp.launchtrust.co/mcp</a><br> (+ Codex config.toml and Gemini settings.json snippets) → then: "scan <a href="https://my-app.com" rel="noopener noreferrer">https://my-app.com</a> for compliance and security."</p> <h2> What a scan looks like </h2> <p>LaunchTrust free quick scan — <a href="https://my-app.com" rel="noopener noreferrer">https://my-app.com</a> (HTTP 200)<br> 3 gap(s) · 1 detected · 9 not detected<br> • [high] Privacy policy — none found<br> • [medium] Security headers — missing CSP, X-Frame-Options<br> • [medium] AI interaction disclosure — none found</p> <h2> Two principles — it never invents findings (every result traces to the page; never claims "compliant"); it's a compliance aid, not legal advice. </h2> <h2> Try it / tell me what's missing — feedback ask + open-source link. </h2> ai webdev security showdev