Security Audit Report

SECURITY-AUDIT-2026-01-26.pdf

4 findingsScanned Jan 26, 2026

inject.today

App Router

4Low

Attack Surface

Routes

Query Params

Custom Headers

GET

POST

/api/auth/logout

GET

/api/auth/users/me

GET

/api/cheats

GET

/api/uploads/[file]

GET

/api/versions/current

GET

/api/versions/previous

GET

/dashboard

GET

/rdd

?binary?channel?hash?platform

NEXT_DID_POSTPONE_HEADER

NEXT_REWRITTEN_QUERY_HEADER

NEXT_ROUTER_PREFETCH_HEADER

NEXT_ROUTER_SEGMENT_PREFETCH_HEADER

NEXT_ROUTER_STALE_TIME_HEADER

NEXT_ROUTER_STATE_TREE_HEADER

NEXT_URL

RSC_CONTENT_TYPE_HEADER

RSC_HEADER

X-XSRF-TOKEN

__next_hmr_refresh_hash__

_rsc

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

x-action-revalidated

x-deployment-id

x-nextjs-action-not-found

x-nextjs-html-request-id

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-request-id

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

LOW

Unauthenticated Endpoint: /api/cheats

Endpoint is accessible without authentication (HTTP 200)

Finding #1 of 4

Endpoint is accessible without authentication (HTTP 200)

Location

https://inject.today/api/cheats

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/versions/current

Endpoint is accessible without authentication (HTTP 200)

Finding #2 of 4

Endpoint is accessible without authentication (HTTP 200)

Location

https://inject.today/api/versions/current

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/versions/previous

Endpoint is accessible without authentication (HTTP 200)

Finding #3 of 4

Endpoint is accessible without authentication (HTTP 200)

Location

https://inject.today/api/versions/previous

Remediation

Review if this endpoint should require authentication

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #4 of 4

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://inject.today

Remediation

Add a Content-Security-Policy header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] } ```

inject.today

Attack Surface

Routes (9)

Custom Headers (29)

Security Findings

Unauthenticated Endpoint: /api/cheats

Unauthenticated Endpoint: /api/versions/current

Unauthenticated Endpoint: /api/versions/previous

Missing Content-Security-Policy Header