Security Audit Report

SECURITY-AUDIT-2026-02-03.pdf

1 findingsScanned Feb 3, 2026

flenly.com

App Router

1Low

Attack Surface

Routes

Query Params

Custom Headers

GET

/about

GET

/affiliates

GET

/api/app/me

POST

/api/auth/callback/[provider]

GET

/api/auth/csrf

GET

/api/auth/error

GET

/api/auth/providers

GET

/api/auth/session

GET

/api/auth/signin

?callbackUrl?error

POST

/api/auth/signin/[provider]

?code?error

POST

/api/auth/signout

POST

/api/auth/signup-request

POST

/api/contact

GET

/app

?callbackUrl?impersonateToken

GET

/app/credits

GET

/app/profile

GET

/blog

GET

/cdn-cgi/l/email-protection

GET

/community

GET

/contact

GET

/cookie

GET

/discover

GET

/docs

GET

/features/ai-characters

GET

/features/ai-movie-maker

GET

/features/ai-video-generation

GET

/features/ai-video-studio

GET

/pricing

GET

/privacy

GET

/refund

GET

/reset-password

GET

/sign-out

GET

/sign-up

GET

/terms

NEXT_DID_POSTPONE_HEADER

NEXT_REWRITTEN_PATH_HEADER

NEXT_REWRITTEN_QUERY_HEADER

NEXT_ROUTER_PREFETCH_HEADER

NEXT_ROUTER_SEGMENT_PREFETCH_HEADER

NEXT_ROUTER_STALE_TIME_HEADER

NEXT_ROUTER_STATE_TREE_HEADER

NEXT_URL

RSC_HEADER

X-Auth-Return-Redirect

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

x-action-redirect

x-action-revalidated

x-nextjs-action-not-found

x-nextjs-html-request-id

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-request-id

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #1 of 1

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://flenly.com

Remediation

Add a Content-Security-Policy header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] } ```

flenly.com

Attack Surface

Routes (35)

Custom Headers (27)

Security Findings

Missing Content-Security-Policy Header