Security Audit Report

SECURITY-AUDIT-2026-01-28.pdf

1 findingsScanned Jan 28, 2026

staging-ewa.crawfort.com

App Router

1Low

Attack Surface

Routes

Query Params

Custom Headers

GET

?_rsc

GET

/.well-known/openid-configuration

GET

/{tenantid}/discovery/v2.0/keys

GET

/{tenantid}/oauth2/v2.0/authorize

GET

/{tenantid}/oauth2/v2.0/logout

GET

/{tenantid}/oauth2/v2.0/token

GET

/{tenantid}/v2.0

GET

/404

GET

/api

GET

/api/auth/me

GET

/api/csrf-token

GET

/api/employee/notifications

?limit?status?type

GET

/api/employee/notifications/stream

POST

/auth/login

POST

/auth/logout

POST

/auth/magic-link/send

GET

/auth/me

POST

/auth/phone/send-otp

POST

/auth/phone/verify

GET

/csrf-token

GET

/devicecode

GET

/discovery/instance

?api-version?authorization_endpoint

GET

/employee

GET

/employee/forgot-password

GET

/employee/home

GET

/employee/login

?logout

GET

/employee/notifications

DELETE

/employee/notifications/[id]

PUT

/employee/notifications/[id]/read

POST

/employee/notifications/bulk-delete

PUT

/employee/notifications/bulk-read

PATCH

/employee/preferences

GET

/employee/profile

GET

/employee/transactions

GET

/employer

GET

/employer/home

GET

/forgot-password

GET

/login

?error?force_role_selection?logout?magic_link_success?oauth_success?redirect

GET

/metadata/instance/compute/location

?api-version?format

GET

/oauth2/v2.0/authorize

GET

/oauth2/v2.0/logout

GET

/oauth2/v2.0/token

GET

/otp-verification

GET

/reset-password

GET

/token

POST

/users/login

POST

/users/oauth-login

POST

/users/refresh

PATCH

/users/update-preferences

GET

/v2.0/.well-known/openid-configuration

X-AnchorMailbox

X-CSRF-Token

brk_client_id

brk_redirect_uri

client-request-id

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

purpose

rsc

x-action-redirect

x-action-revalidated

x-app-name

x-app-ver

x-client-CPU

x-client-OS

x-client-SKU

x-client-VER

x-client-current-telemetry

x-client-last-telemetry

x-deployment-id

x-matched-path

x-middleware-cache

x-middleware-prefetch

x-middleware-skip

x-ms-httpver

x-ms-lib-capability

x-ms-request-id

x-nextjs-action-not-found

x-nextjs-data

x-nextjs-html-request-id

x-nextjs-matched-path

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-redirect

x-nextjs-request-id

x-nextjs-rewrite

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

LOW

Unauthenticated Endpoint: /api/csrf-token

Endpoint is accessible without authentication (HTTP 200)

Finding #1 of 1

Endpoint is accessible without authentication (HTTP 200)

Location

https://staging-ewa.crawfort.com/api/csrf-token

Remediation

Review if this endpoint should require authentication

staging-ewa.crawfort.com

Attack Surface

Routes (50)

Custom Headers (43)

Security Findings

Unauthenticated Endpoint: /api/csrf-token