Security Audit Report

SECURITY-AUDIT-2026-01-27.pdf

0 findingsScanned Jan 27, 2026

landshelf.com

A+

App Router

Attack Surface

Routes

Query Params

Custom Headers

GET

?bathroom?bedroom?carport?location?map?max?min?page?search?sort?status?type

GET

/[username]

GET

/about-us

GET

/account

GET

/api/google

GET

/archive

GET

/cdn-cgi/l/email-protection

GET

/edit/[id]

GET

/engine.io

?EIO?b64?sid?t?transport

GET

/forgot-password

GET

/new-listing

GET

/property/[id]

GET

/register

GET

/save

GET

/seller

GET

/sign-in

GET

/sign-up

GET

/socket.io

?EIO?b64?sid?t?transport

GET

/user/[username]

Next-Action

Next-HMR-Refresh

Next-Router-Prefetch

Next-Router-Segment-Prefetch

Next-Router-State-Tree

Next-Url

RSC

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-stale-time

Security Findings

INFO

Missing X-Content-Type-Options Header

The X-Content-Type-Options header is not set

Finding #1 of 2

The X-Content-Type-Options header is not set. This header prevents MIME-sniffing attacks by instructing browsers to respect the declared Content-Type. Modern browsers have largely mitigated MIME-sniffing risks.

Location

https://landshelf.com

Remediation

Add an X-Content-Type-Options header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'X-Content-Type-Options', value: 'nosniff' }, ], }] } ```

INFO

Missing X-Frame-Options Header

The X-Frame-Options header is not set

Finding #2 of 2

The X-Frame-Options header is not set. This header prevents clickjacking attacks by controlling whether the page can be embedded in iframes. Note that CSP's frame-ancestors directive supersedes this header in modern browsers.