Confirmation email sent with receipt details

Why it matters

A confirmation email is the shopper's receipt, their order-number reference for support tickets, and their trust signal that the payment went through. Missing it triggers support load ("did my order go through?"), chargebacks from shoppers who don't remember the purchase, and erodes repeat-purchase trust. It's also often a legal requirement under consumer-protection regimes — EU Consumer Rights Directive Article 8 mandates confirmation of distance contracts in a durable medium, which a missing email fails outright.

Remediation

Call a transactional email service (Resend, Postmark, SendGrid, SES) from the order completion handler at src/app/api/orders/route.ts. Include order number, line items, total, and shipping/tracking info. Send before returning success to the client so the email is sent even if the client navigates away.

await sendEmail({ to: order.customerEmail, template: 'order-confirmation', data: { orderNumber: order.id, items: order.items, total: order.total, trackingUrl: `https://yoursite.com/orders/${order.id}/tracking` } })

Detection

ID: ecommerce-cart-ux.order-confirmation.confirmation-email
Severity: medium
What to look for: Search backend code for email sending logic triggered after order completion. Count all email service integrations (SendGrid, Mailgun, AWS SES, Resend, Postmark, nodemailer). Find the order completion handler (e.g., src/app/api/orders/route.ts, src/app/api/checkout/route.ts) and check whether it calls an email sending function. Count how many of these 4 data fields are included in the email: (1) order number, (2) line items, (3) total price, (4) shipping/tracking info. Quote the email template path or the sendEmail call.
Pass criteria: At least 1 email sending call exists in the order completion flow, and the email payload includes at least 3 of 4 required data fields (order number, items, total, shipping info). Report: "Email sent via [service] in [file]. Template includes X of 4 required fields."
Fail criteria: No email sending logic found after purchase completion, or the email includes fewer than 3 of 4 required data fields.
Skip (N/A) when: The project has no order processing backend (static site, frontend-only prototype with no server-side order handling).
Detail on fail: Example: "Order completion handler at src/app/api/orders/route.ts creates the order but has no email sending call. 0 email service integrations found in package.json. No confirmation email is sent to customer."
Cross-reference: For the confirmation page content, see the confirmation-page check above. For email deliverability and SPF/DKIM configuration, the Security Headers audit covers email-related DNS records.

Remediation: Add transactional email in your order API route at src/app/api/orders/route.ts:

// src/app/api/orders/route.ts
import { sendEmail } from '@/lib/email'

export async function POST(req) {
  const order = await createOrder(req.body)

  await sendEmail({
    to: order.customerEmail,
    template: 'order-confirmation',
    data: {
      orderNumber: order.id,
      items: order.items,
      total: order.total,
      trackingUrl: `https://yoursite.com/orders/${order.id}/tracking`
    }
  })

  return { success: true, orderId: order.id }
}

Why it matters

Remediation

await sendEmail({ to: order.customerEmail, template: 'order-confirmation', data: { orderNumber: order.id, items: order.items, total: order.total, trackingUrl: `https://yoursite.com/orders/${order.id}/tracking` } })

Detection

ID: ecommerce-cart-ux.order-confirmation.confirmation-email
Severity: medium
What to look for: Search backend code for email sending logic triggered after order completion. Count all email service integrations (SendGrid, Mailgun, AWS SES, Resend, Postmark, nodemailer). Find the order completion handler (e.g., src/app/api/orders/route.ts, src/app/api/checkout/route.ts) and check whether it calls an email sending function. Count how many of these 4 data fields are included in the email: (1) order number, (2) line items, (3) total price, (4) shipping/tracking info. Quote the email template path or the sendEmail call.
Pass criteria: At least 1 email sending call exists in the order completion flow, and the email payload includes at least 3 of 4 required data fields (order number, items, total, shipping info). Report: "Email sent via [service] in [file]. Template includes X of 4 required fields."
Fail criteria: No email sending logic found after purchase completion, or the email includes fewer than 3 of 4 required data fields.
Skip (N/A) when: The project has no order processing backend (static site, frontend-only prototype with no server-side order handling).
Detail on fail: Example: "Order completion handler at src/app/api/orders/route.ts creates the order but has no email sending call. 0 email service integrations found in package.json. No confirmation email is sent to customer."
Cross-reference: For the confirmation page content, see the confirmation-page check above. For email deliverability and SPF/DKIM configuration, the Security Headers audit covers email-related DNS records.

Remediation: Add transactional email in your order API route at src/app/api/orders/route.ts:

// src/app/api/orders/route.ts
import { sendEmail } from '@/lib/email'

export async function POST(req) {
  const order = await createOrder(req.body)

  await sendEmail({
    to: order.customerEmail,
    template: 'order-confirmation',
    data: {
      orderNumber: order.id,
      items: order.items,
      total: order.total,
      trackingUrl: `https://yoursite.com/orders/${order.id}/tracking`
    }
  })

  return { success: true, orderId: order.id }
}

Confirmation email sent with receipt details

Why it matters

Severity rationale

Remediation

Detection

Taxons

History

Confirmation email sent with receipt details

Why it matters

Severity rationale

Remediation

Detection

Taxons

History