Security Audit Report

SECURITY-AUDIT-2026-01-28.pdf

1 findingsScanned Jan 28, 2026

ewa.crawfort.com

App Router

1Low

Attack Surface

Routes

Query Params

Custom Headers

GET

/_app

GET

/.well-known/openid-configuration

GET

/404

GET

/api

GET

/api/auth/me

GET

/api/csrf-token

GET

/api/employee/notifications

?limit?status?type

GET

/api/employee/notifications/stream

POST

/auth/login

POST

/auth/logout

POST

/auth/magic-link/send

GET

/auth/me

POST

/auth/phone/send-otp

POST

/auth/phone/verify

GET

/csrf-token

GET

/devicecode

?client_id?scope

GET

/discovery/v2.0/keys

GET

/employee

GET

/employee/forgot-password

GET

/employee/home

GET

/employee/login

?logout

GET

/employee/notifications

DELETE

/employee/notifications/[id]

PUT

/employee/notifications/[id]/read

POST

/employee/notifications/bulk-delete

PUT

/employee/notifications/bulk-read

PATCH

/employee/preferences

GET

/employee/profile

GET

/employee/transactions

GET

/employer

GET

/employer/home

GET

/forgot-password

GET

/login

GET

/oauth2/v2.0/authorize

?brk_client_id?brk_redirect_uri?claims?client-request-id?client_id?code_challenge?code_challenge_method?instance_aware?login_hint?redirect_uri?response_type?scope?sid?state

GET

/oauth2/v2.0/logout

GET

/oauth2/v2.0/token

?client_assertion?client_assertion_type?client_id?client_info?client_secret?code?grant_type?redirect_uri?refresh_token?req_cnf?scope?token_type

GET

/otp-verification

GET

/reset-password

GET

/token

?client_assertion?client_assertion_type?client_id?client_secret?code?grant_type?redirect_uri?refresh_token?scope

POST

/users/login

POST

/users/oauth-login

POST

/users/refresh

PATCH

/users/update-preferences

X-AnchorMailbox

X-CSRF-Token

client-request-id

next-action

next-hmr-refresh

next-resume

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

purpose

rsc

x-action-redirect

x-action-revalidated

x-app-name

x-app-ver

x-client-CPU

x-client-OS

x-client-SKU

x-client-VER

x-client-current-telemetry

x-client-last-telemetry

x-deployment-id

x-matched-path

x-middleware-cache

x-middleware-prefetch

x-middleware-skip

x-ms-httpver

x-ms-lib-capability

x-ms-request-id

x-next-cache-tags

x-next-revalidate-tag-token

x-next-revalidated-tags

x-nextjs-action-not-found

x-nextjs-data

x-nextjs-html-request-id

x-nextjs-matched-path

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-redirect

x-nextjs-request-id

x-nextjs-rewrite

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

x-prerender-revalidate

x-prerender-revalidate-if-generated

Security Findings

LOW

Unauthenticated Endpoint: /api/csrf-token

Endpoint is accessible without authentication (HTTP 200)

Finding #1 of 1

Endpoint is accessible without authentication (HTTP 200)

Location

https://ewa.crawfort.com/api/csrf-token

Remediation

Review if this endpoint should require authentication

ewa.crawfort.com

Attack Surface

Routes (44)

Custom Headers (47)

Security Findings

Unauthenticated Endpoint: /api/csrf-token