StagePay — App

Paid this month On track

—

Outstanding Pending

—

Overdue Action needed

—

Avg. payment time

—

Cash collected — last 6 months

Nov Dec Jan Feb Mar Apr

Action required

Recent invoices

Invoice breakdown

Paid P0 0%

Pending P0 0%

Overdue P0 0%

Recent activity

Describe your work

AI will extract client, line items, rates and VAT automatically

Edit details

Client, line items, dates, VAT

Quick select client

Client name

Client email

Invoice #

Currency

Issue date

Due date

Project description

Line items

Description

Qty / Hrs

Rate

Amount

VAT rate (%)

Payment terms

Deposit required Off

Late fee Off

Terms & conditions

Notes (optional)

Live preview

Draft

YOUR FIRM

INVOICE

INV-055 ·

From

Your Firm

Bill to

Client Name

—

Description	Qty	Rate	Amount

SubtotalP0

VAT (14%)P0

Total Due P0

StagePay

Number

Client

Project

Date

Amount

Status

Invoice

Amount

Overdue

Reminders

Actions

Auto-reminder schedule

Applies to all new invoices

3

3-day reminder

Gentle first nudge

7

7-day reminder

Polite follow-up

14

14-day reminder

Firm final notice

30

30-day escalation

Final demand notice

WhatsApp reminders Channel

AI email preview — 7-day

Dear Client,

I wanted to follow up on invoice INV-051 for P11,400, which was due on 1 Apr 2025. It appears payment has not yet been received.

Please let me know if there are any issues — we are happy to assist.

Kind regards,
Your Firm

Total income

—

from paid invoices

Total expenses

—

all recorded costs

Net profit

—

profit margin

Record expense

Date

Description

Category

Amount

Branding

Firm details

Invoice defaults

Payment & banking

Notifications

Plan & billing

Security

Branding

Your logo, colour and invoice template · Visible on every invoice you send

Visual identity

Logo Upload

Upload your company logo. PNG or SVG recommended. Shows on all invoices and emails.

⬆

Click to upload your logo

PNG, SVG, JPG · Max 2MB

Brand colour Customise

Used for invoice header, total row, and email accents. Pick a preset or enter a custom hex.

Presets

Live preview

KGOSI ENGINEERING

INV-055

INVOICE

ISSUE DATE

19 Apr 2025

DUE DATE

19 May 2025

STATUS

UNPAID

Consulting servicesP9,500

Site inspectionP2,400

VAT 14%P1,666

TOTAL DUEP13,566

Invoice template PDF layout

Choose the layout for your generated PDFs.

Dark Modern

Clean Light

Minimal Line

Bold Accent

Executive

Preview

Select a template to preview

Firm details

Business name, address, registration · Printed on every invoice

Business info

Business information

This information appears on every invoice you send.

Business / Firm name

Trading name / Tagline (optional)

Email address

Phone number

Physical address

Company reg. number

VAT / TIN number

Website (optional)

Country

Invoice defaults

Currency, VAT rate, payment terms · Pre-fills every new invoice automatically

Auto-fill

Invoice defaults

These values pre-fill every new invoice. You can always override them per invoice.

Auto-detect VAT by country

Selecting your country sets the correct VAT rate and currency automatically.

14%

Default currency

Default VAT / tax rate (%)

Tax label

Default payment terms

Invoice number prefix

Next invoice number

Default invoice footer / notes

Payment & banking

Bank account details · Appear in invoice footer so clients know where to pay

Get paid

Bank account details Invoice footer

These appear in your invoice footer so clients know exactly where to pay.

Your bank details are included automatically in every PDF export and client email.

Bank name

Account name

Account number

Branch code

Swift / BIC (for international)

Online payments — Stripe, PayFast and other payment gateway integrations are available on the Business plan.

Notifications

Payment alerts, overdue reminders · Stay informed without checking the app

Alerts

Email notifications

Choose which events trigger an email notification to you.

Invoice viewed by client

Get notified when a client opens your invoice link

Payment received

Instant notification when a payment is confirmed

Invoice overdue

Alert when an invoice passes its due date

Reminder sent

Confirm when an automated reminder email is dispatched

Weekly summary

Monday morning report of paid, outstanding, and overdue totals

Plan & billing

Starter · Free · 2 invoices/month

FREE

Your plan

Loading plan info…

Usage this month

Invoices created

0/ 2

Danger zone

These actions are permanent and cannot be undone.

Export all data

Download all invoices, clients and settings as a ZIP file

Cancel plan

Your account will downgrade to Starter at end of billing period

Security

Two-factor authentication · Session control · Security assessment

Account protection

Two-factor authentication (TOTP)

Require a time-based one-time code from an authenticator app (Google Authenticator, Authy, 1Password) every time you sign in.

2FA disabled

Your account only uses a password.

Session security

Control how long your session stays active when you're not using the app.

Inactivity timeout

You'll be signed out automatically after this period of inactivity.

Security assessment

Known risks and hardening status for this application. Severity ratings follow OWASP guidelines.

Fixed

XSS — stored cross-site scripting

User-controlled strings (client names, invoice IDs, project titles, expense descriptions) are now HTML-escaped via esc() before insertion into the DOM, preventing script injection.

OWASP A03

Fixed

Brute force — no login rate limiting

Login attempts are now capped at 5 per session. After 5 failures the form locks for 10 minutes, preventing automated credential-stuffing attacks.

OWASP A07

Fixed

Session hijacking — no inactivity timeout

Sessions now auto-expire after the configured inactivity period. Mouse, keyboard, and click events reset the timer, so active users are never logged out unexpectedly.

OWASP A07

Fixed

Weak auth — single-factor password only

TOTP-based 2FA is now available. When enabled, a valid authenticator code is required after every successful password login, even if the password is stolen.

OWASP A07

High

Plaintext passwords in memory

Passwords are stored as plaintext strings in userStore. A production deployment must hash passwords (bcrypt / Argon2) server-side and never store them client-side.

OWASP A02

High

Client-side data storage only

All invoices, clients, and session tokens live in JavaScript variables and localStorage. Any script on the page can read them. Production requires a secure backend API with server-side session management.

OWASP A02

Medium

API key exposed in localStorage

The Anthropic API key saved under sp-api-key is readable by any JavaScript on the page. In production, all API calls should be proxied through a server-side endpoint that holds the key securely.

OWASP A02

Medium

Missing CSRF protection

As a single-file SPA with no server-side state, CSRF is not directly exploitable today. If a backend is added, all state-changing endpoints must include CSRF tokens and SameSite=Strict cookies.

OWASP A01

Low

No Content Security Policy header

When deployed, a CSP header restricting script-src to known CDN origins and self would eliminate an entire class of injection attacks. Requires server control.

OWASP A05