Security Audit Report

SECURITY-AUDIT-2026-01-29.pdf

4 findingsScanned Jan 29, 2026

basement-devs.com

App Router

3High

1Low

Attack Surface

Routes

Query Params

Custom Headers

GET

POST

/api/tickets/upload

GET

/config/tickets

GET

/dashboard

GET

/login

?redirect

POST

/oauth/switch-account

GET

/public/discord/guild

?guildId

GET

/public/discord/members

?guildId?roleId

GET

/public/discord/user/:discordId

POST

/sessions/logout

GET

/sessions/me

GET

/staff

GET

/tickets

?limit?page?status

GET

/tickets/[id]

NEXT_DID_POSTPONE_HEADER

NEXT_REWRITTEN_PATH_HEADER

NEXT_REWRITTEN_QUERY_HEADER

NEXT_ROUTER_PREFETCH_HEADER

NEXT_ROUTER_SEGMENT_PREFETCH_HEADER

NEXT_ROUTER_STALE_TIME_HEADER

NEXT_ROUTER_STATE_TREE_HEADER

NEXT_RSC_UNION_QUERY

NEXT_URL

RSC_HEADER

X-CSRF-Token

_rsc

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

x-action-redirect

x-action-revalidated

x-nextjs-action-not-found

x-nextjs-html-request-id

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-request-id

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

3 findings redacted

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#1 of 4

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#2 of 4

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#3 of 4

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #4 of 4

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://basement-devs.com

Remediation

Add a Content-Security-Policy header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] } ```

basement-devs.com

Attack Surface

Routes (14)

Custom Headers (29)

Security Findings

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing Content-Security-Policy Header