Security Report for mesh3d.gallery | Grade D | Hardenly

Security Audit Report

SECURITY-AUDIT-2026-04-03.pdf

5 findingsScanned Apr 3, 2026

mesh3d.gallery

D

App Router

2High

3Low

Attack Surface

57

Routes

24

Query Params

40

Custom Headers

GET

/

POST

/[function]

?forceFunctionRegion

GET

/about

GET

/admin

POST

/admin/generate_link

?redirect_to

GET

/admin/oauth/clients

?page?per_page

GET

/admin/oauth/clients/[id]

POST

/admin/oauth/clients/[id]/regenerate_secret

GET

/admin/users

?page?per_page

GET

/admin/users/[id]

GET

/admin/users/[userId]/factors

DELETE

/admin/users/[userId]/factors/[id]

POST

/api/broadcast

GET

/api/page-metadata

?url

POST

/api/send

GET

/api/tags

GET

/auth/login

GET

/bucket

?limit?offset?search?sortColumn?sortOrder

GET

/bucket/[id]

POST

/bucket/[id]/empty

POST

/CreateIndex

POST

/CreateVectorBucket

POST

/DeleteIndex

POST

/DeleteVectorBucket

POST

/DeleteVectors

POST

/GetIndex

POST

/GetVectorBucket

POST

/GetVectors

POST

/invite

?redirect_to

POST

/ListIndexes

POST

/ListVectorBuckets

POST

/ListVectors

POST

/logout

?scope

GET

/makers

GET

/namespaces

?parent

GET

/namespaces/[namespace]

GET

/namespaces/[namespace]/tables

GET

/namespaces/[namespace]/tables/[name]

?purgeRequested

GET

/object/[key]

POST

/object/copy

GET

/object/info/[path]

POST

/object/list-v2/[bucketId]

POST

/object/list/[bucketId]

POST

/object/move

GET

/object/public/[path]

?download?format?height?quality?resize?width

POST

/object/sign/[path]

GET

/object/upload/sign/[path]

?token

GET

/partner

GET

/profile

POST

/PutVectors

POST

/QueryVectors

GET

/ROOT

GET

/rpc/[name]

GET

/settings

GET

/submit

GET

/website/[slug]

GET

/websites

?tags

ACTION_HEADER

NEXT_ACTION_NOT_FOUND_HEADER

NEXT_DID_POSTPONE_HEADER

NEXT_IS_PRERENDER_HEADER

NEXT_ROUTER_PREFETCH_HEADER

NEXT_ROUTER_SEGMENT_PREFETCH_HEADER

NEXT_ROUTER_STALE_TIME_HEADER

NEXT_ROUTER_STATE_TREE_HEADER

NEXT_RSC_UNION_QUERY

NEXT_URL

RSC_CONTENT_TYPE_HEADER

RSC_HEADER

X-Client-Info

X-Iceberg-Access-Delegation

X-Supabase-Api-Version

_rsc

apikey

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

x-action-redirect

x-action-revalidated

x-deployment-id

x-metadata

x-nextjs-action-not-found

x-nextjs-html-request-id

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-request-id

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

x-region

x-relay-error

x-umami-cache

x-upsert

Security Findings

2 findings redacted

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#1 of 5

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#2 of 5

LOW

Unauthenticated Endpoint: /api/page-metadata

Endpoint is accessible without authentication (HTTP 200)

Finding #3 of 5

Endpoint is accessible without authentication (HTTP 200)

Location

https://mesh3d.gallery/api/page-metadata

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/tags

Endpoint is accessible without authentication (HTTP 200)

Finding #4 of 5

Endpoint is accessible without authentication (HTTP 200)

Location

https://mesh3d.gallery/api/tags

Remediation

Review if this endpoint should require authentication

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #5 of 5

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://mesh3d.gallery

Remediation

Add a Content-Security-Policy header in next.config.js:

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" },
    ],
  }]
}

Other Recent Reports