Hardcoded localhost URL
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A literal http://localhost or 127.0.0.1 URL in application code works on a developer machine but points at nothing in production. It is almost always a value that belongs in an environment variable.
Why it matters
A literal http://localhost or 127.0.0.1 URL in application code resolves to the developer machine. In production that address points at nothing (or worse, at the server itself), so the request fails or hits an unintended target. It is almost always a configuration value that was hardcoded during development.
How to fix it
Move the base URL into an environment variable and read it through process.env, with a sensible local default. Use a NEXT_PUBLIC_ variable only if the value must be visible in the browser; otherwise read it in server code so it is not exposed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo