Findings
7 of 7 findings
SEC-001CRITICALCorrelatedMissing authentication on /api/users endpoint
Evidence
HTTP 200 returned without Authorization header. Static analysis confirms no auth decorator on route handler.
Remediation
Require Bearer token. Return 401 for unauthenticated requests. Add @requires_auth decorator to the route.
SEC-002HIGHBlack-boxCORS wildcard with credentials allowed
Evidence
Response headers: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true
Remediation
Never combine wildcard CORS origin with credentials. Specify an explicit allowlist of trusted origins.
SEC-003HIGHWhite-boxHardcoded AWS access key in source
Evidence
AKIAIOSFODNN7EXAMPLE found at line 18 — matches AWS access key pattern.
Remediation
Remove the key immediately and rotate it in AWS IAM. Use environment variables or a secrets manager.
SEC-004MEDIUMBlack-boxMissing Content-Security-Policy header+2 more
Affected endpoints (3)
GET /health GET /api/v3/user GET /api/v3/store/inventory
Evidence
Content-Security-Policy header absent from all responses.
Remediation
Add a Content-Security-Policy header. Start with: default-src 'self'
SEC-005MEDIUMBlack-boxServer version disclosed in response
Evidence
Server: nginx/1.18.0 disclosed in response headers.
Remediation
Configure your reverse proxy to omit or mask the Server header.
SEC-006MEDIUMBlack-boxNo rate limiting on authentication endpoint
Evidence
Sent 50 requests in 5s — all returned HTTP 200 with no throttling or 429 response.
Remediation
Implement rate limiting on auth endpoints. Recommended: 5 attempts per minute per IP.
SEC-007LOWBlack-boxInternal IP address in error response
Evidence
Response body contains: "upstream: 10.0.1.42:5432"
Remediation
Sanitize error messages before returning them to clients. Never expose internal network topology.