Security Report for leadmore.ai | Grade E | Hardenly

Security Audit Report

SECURITY-AUDIT-2026-04-09.pdf

13 findingsScanned Apr 9, 2026

leadmore.ai

App Router

11High

2Low

Attack Surface

Routes

Query Params

Custom Headers

GET

/.well-known/vercel/microfrontends/client-config

UNKNOWN

/api

UNKNOWN

/api/early_access_features

?token

GET

/api/sts

UNKNOWN

/api/surveys

?token

UNKNOWN

/api/web_experiments

?token

GET

/blog

GET

/video

Security Findings

11 findings redacted

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#1 of 15

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#2 of 15

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#3 of 15

HIGH

Missing access control

Endpoints lack proper authorization checks.

#4 of 15

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#5 of 15

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#6 of 15

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#7 of 15

HIGH

Missing access control

Endpoints lack proper authorization checks.

#8 of 15

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#9 of 15

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#10 of 15

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#11 of 15

LOW

Unauthenticated Endpoint: /api/sts

Endpoint is accessible without authentication (HTTP 200)

Finding #12 of 15

Endpoint is accessible without authentication (HTTP 200)

Location

https://leadmore.ai/api/sts

Remediation

Review if this endpoint should require authentication

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #13 of 15

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://leadmore.ai

Remediation

Add a Content-Security-Policy header in next.config.js:

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" },
    ],
  }]
}

INFO

Missing X-Content-Type-Options Header

The X-Content-Type-Options header is not set

Finding #14 of 15

The X-Content-Type-Options header is not set. This header prevents MIME-sniffing attacks by instructing browsers to respect the declared Content-Type. Modern browsers have largely mitigated MIME-sniffing risks.

Location

https://leadmore.ai

Remediation

Add an X-Content-Type-Options header in next.config.js:

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'X-Content-Type-Options', value: 'nosniff' },
    ],
  }]
}

INFO

Missing X-Frame-Options Header

The X-Frame-Options header is not set

Finding #15 of 15

The X-Frame-Options header is not set. This header prevents clickjacking attacks by controlling whether the page can be embedded in iframes. Note that CSP's frame-ancestors directive supersedes this header in modern browsers.

Location

https://leadmore.ai

Remediation

Add an X-Frame-Options header in next.config.js:

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'X-Frame-Options', value: 'DENY' },
    ],
  }]
}

Or use CSP's frame-ancestors directive for more flexibility.

Other Recent Reports

sellease.io

thesislabs.ai

leadmore.ai

Attack Surface

Routes (8)

Security Findings

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Unauthenticated Endpoint: /api/sts

Missing Content-Security-Policy Header

Missing X-Content-Type-Options Header

Missing X-Frame-Options Header