Every time I'm about to ship something, the same boring things bite me. Not the features — the unglamorous stuff: a key that ended up in a frontend bundle, an app with an AI chat and no disclosure, a landing page with no privacy policy two days before an EU launch.
None of it is hard. It's just easy to forget, and the cost of forgetting is real: an App Store rejection, a GDPR complaint, a leaked credential someone finds in your main.js.
So I made myself a checklist. Then I got tired of running it by hand and built it into the tool I already live in — my AI coding agent. This post is that checklist (useful on its own), plus how I wired it into Claude Code with MCP.
The boring stuff that actually gets you
Secrets in your frontend — bundlers inline that "just for now" API key; grep your deployed main.[hash].js for sk-, AKIA, sk_live_.
Exposed .env / .git — a lot of deploys serve /.env or /.git/config with a 200.
Security headers — missing CSP, X-Frame-Options, HSTS, X-Content-Type-Options.
Privacy policy & terms — stores require them; GDPR effectively does too.
AI disclosure — EU AI Act Art. 50, CA SB 243, Apple 5.1.2 if your app talks with AI.
Trackers & cookie consent — a pixel with no consent path is the classic miss.
Why I put it in my AI coding tool — MCP lets AI clients (Claude Code, Codex, Gemini CLI, Cursor) call external tools, so "scan my app" becomes something you can just say.
60-second setup
claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp
(+ Codex config.toml and Gemini settings.json snippets) → then: "scan https://my-app.com for compliance and security."
What a scan looks like
LaunchTrust free quick scan — https://my-app.com (HTTP 200)
3 gap(s) · 1 detected · 9 not detected
• [high] Privacy policy — none found
• [medium] Security headers — missing CSP, X-Frame-Options
• [medium] AI interaction disclosure — none found
Top comments (0)