We found 19 issues on your site. View report →
Hey Sydney! Take a quick survey to share your vision →
Cycle-Synced Training

Training that moves with you.

Adaptive programming that shifts with your cycle — every session, every phase, every shift.

Menstrual Follicular Ovulation Luteal
Your cycle
Day 8
Wave 01 ends in 04:32:17
Founding Rate · Limited

Join the founding list.

Be the first to know when Lunaro launches. Founding members lock in $10/mo for life — no codes, no gimmicks.

Founding Rate · Monthly
$29 $10
per month · locked forever
Wave 01 seats filling 72% claimed

This price is good indefinitely and cannot be transferred to another user or account. 30-day cancellation applies. If you cancel, founding pricing cannot be reinstated on a future sign-up.

Inside Lunaro

Built around your body.

01 / Adapt

Adaptive cycle-synced training

Programming that shifts intensity, volume, and movement to match the phase you're actually in.

02 / Track

Real-time progression tracking

PRs, load, readiness, and recovery captured set-by-set. See what's working this phase.

03 / Optimize

Performance & physique optimization

Strength gains and body-composition shifts coached together, not traded off.

The App

Coming soon to iOS & Android

Founding members get first access when the app launches. We'll notify you the moment it's ready.

App preview coming soon

A note from Sydney.

Founder · Sydney Soriano
Sydney Soriano, Lunaro founder
Founder · Sydney Soriano

Join the founding list

Be first in line when Lunaro launches. Founding members lock in $10/mo for life.

By signing up you agree to our Privacy Policy & Terms of Service

Built by Beacon Web Services

Your Digital Health Report

We audited lunaroco.ai across security, design, SEO, and legal compliance. Here's what we found.

Critical Issues

Critical
Admin dashboard exposes all signup data
The /admin page serves its full HTML to anyone — names, emails, and phone numbers are visible behind a single URL parameter. No real authentication.
Critical
Zero input validation on signup form
The signup API accepts anything — script injection, SQL payloads, 3MB name fields, and invalid emails all return 200 OK with a valid response.
Critical
No privacy policy or terms of service
Collecting names, emails, and phone numbers with no data handling disclosures. Health data (menstrual cycles) planned with no HIPAA/GDPR considerations.
Critical
No rate limiting — API can be flooded
10 rapid-fire requests all succeeded. Signup database can be filled with garbage data. Admin key can be brute-forced with no lockout.

Warnings

Warning
No security headers on any page
Missing Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Site is vulnerable to clickjacking and XSS.
Warning
CORS wide open to all origins
Any website on the internet can make API requests to your signup and admin endpoints from client-side JavaScript.
Warning
Founder code is hardcoded and identical for everyone
Every signup returns the same code "FoundersLaunch42426" regardless of input. Not tied to email, no server-side expiry. The urgency mechanics are cosmetic.

What This Demo Shows

Improved
Professional design that matches your audience
Coastal Powder palette with Outfit typography — designed for women in fitness/wellness, not a reskinned fintech template.
Improved
Honest early-bird signup flow
Simple name + email collection. No fake codes, no manufactured urgency. Real founding list that builds trust with your 23K followers.
Improved
Security-ready architecture
Input validation, rate limiting, proper authentication, privacy policy, and security headers — all planned for the production build.
Download full security audit (PDF)

Ready to upgrade your web presence?

Get Started with Beacon →