Security Audit Report

SECURITY-AUDIT-2026-01-19.pdf

1 findingsScanned Jan 19, 2026

studentsgpt.ai

App Router

1Low

Attack Surface

144

Routes

Query Params

Custom Headers

GET

/_log

?code?level

GET

/api/affiliate/dashboard

POST

/api/affiliate/register

POST

/api/auth/register

GET

/api/auth/signin

?callbackUrl?error

GET

/api/blog

GET

/api/history/all

POST

/api/history/Multi_model_image_generator/image_generation

GET

/api/history/PPT_generator/Edit_PPT_generation

?sessionId

POST

/api/history/PPT_generator/image_collection

POST

/api/Open_ai/pdf

GET

/api/presentations/[id]

GET

/api/presentations/original/[id]

GET

/api/proxy/flux

?endpoint

GET

/api/proxy/flux-image

?url

GET

/api/proxy/ideogram

?url

GET

/api/proxy/ideogram-image

?url

POST

/api/send-feedback

POST

/api/upload

GET

/api/user/tokens

POST

/assistants

?after

GET

/assistants/[e]

POST

/audio/speech

POST

/audio/transcriptions

POST

/audio/translations

POST

/batches

?after

GET

/batches/[e]

POST

/batches/[e]/cancel

GET

/blog

GET

/Blog_generator

GET

/blog/[slug]

GET

/callback/[provider]

?error

GET

/chat_page

GET

/chat_page/subject_AI/10_chat_page

GET

/chat_page/subject_AI/11_chat_page

GET

/chat_page/subject_AI/12_chat_page

GET

/chat_page/subject_AI/Ayurveda_chat_page

GET

/chat_page/subject_AI/Dental_chat_page

GET

/chat_page/subject_AI/Law_chat_page

GET

/chat_page/subject_AI/MBA_chat_page

GET

/chat_page/subject_AI/Medical_chat_page

GET

/chat_page/subject_AI/Veterinary_chat_page

POST

/chat/completions

?after

GET

/chat/completions/[e]

GET

/chat/completions/[e]/messages

?after

POST

/completions

GET

/csrf

GET

/dashboard

GET

/dashboard/billing

GET

/dashboard/feedback

GET

/dashboard/history

GET

/dashboard/settings

POST

/embeddings

GET

/error

POST

/files

?after

GET

/files/[e]

GET

/files/[e]/content

POST

/fine_tuning/jobs

?after

GET

/fine_tuning/jobs/[e]

POST

/fine_tuning/jobs/[e]/cancel

GET

/fine_tuning/jobs/[e]/checkpoints

?after

GET

/fine_tuning/jobs/[e]/events

?after

POST

/images/edits

POST

/images/generations

POST

/images/variations

GET

/insights

GET

/landing_page/about-us

GET

/landing_page/affiliate

GET

/landing_page/affiliate/dashboard

GET

/landing_page/affiliate/dashboard/analytics

GET

/landing_page/api-reference

GET

/landing_page/blog

GET

/landing_page/careers

GET

/landing_page/community

GET

/landing_page/contactus

GET

/landing_page/contribute

POST

/landing_page/contribute/api/upload

GET

/landing_page/cookie-policy

GET

/landing_page/documentation

GET

/landing_page/privacy-policy

GET

/landing_page/raise-ticket

GET

/landing_page/security

GET

/landing_page/sitemap

GET

/landing_page/terms-of-service

GET

/landing_page/tutorials

GET

/models

?after

GET

/models/[e]

POST

/moderations

GET

/Multi_model_chat

POST

/Multi_model_chat/api/Claude/chat

POST

/Multi_model_chat/api/Claude/pdf

POST

/Multi_model_chat/api/Gemini/chat

POST

/Multi_model_chat/api/Gemini/vision

POST

/Multi_model_chat/api/Groq/chat

POST

/Multi_model_chat/api/Groq/pdf

POST

/Multi_model_chat/api/Groq/vision

POST

/Multi_model_chat/api/Open_ai/chat

POST

/Multi_model_chat/api/Open_ai/image

POST

/Multi_model_chat/api/Open_ai/pdf

GET

/Multi_model_image_generator

POST

/Multi_model_image_generator/api/ideogram

GET

/Plagiarism_remover

GET

/PPT_Generator

POST

/PPT_Generator/api/generate-summary

POST

/PPT_Generator/api/scrape-urls

POST

/PPT_Generator/api/stability

POST

/PPT_Generator/api/vector-search

GET

/PPT_Generator/edit/[id]

GET

/ppt/charts/chart[n].xml

GET

/providers

POST

/realtime/sessions

POST

/responses

GET

/responses/[e]

GET

/responses/[e]/input_items

?after

GET

/session

GET

/signin

?callbackUrl?error

GET

/signin/[provider]

?callbackUrl?csrfToken?error?json

GET

/signout

?callbackUrl?csrfToken?json

POST

/threads

GET

/threads/[e]

POST

/threads/[e]/messages

?after

GET

/threads/[e]/messages/[t]

GET

/threads/[e]/runs

?after

GET

/threads/[e]/runs/[t]

POST

/threads/[e]/runs/[t]/cancel

GET

/threads/[e]/runs/[t]/steps

?after

GET

/threads/[e]/runs/[t]/steps/[s]

POST

/threads/[e]/runs/[t]/submit_tool_outputs

POST

/threads/runs

POST

/uploads

POST

/uploads/[e]/cancel

POST

/uploads/[e]/complete

POST

/uploads/[e]/parts

POST

/vector_stores

?after

GET

/vector_stores/[e]

POST

/vector_stores/[e]/file_batches

GET

/vector_stores/[e]/file_batches/[t]

POST

/vector_stores/[e]/file_batches/[t]/cancel

GET

/vector_stores/[e]/file_batches/[t]/files

?after

POST

/vector_stores/[e]/files

?after

GET

/vector_stores/[e]/files/[t]

GET

/vector_stores/[e]/files/[t]/content

?after

POST

/vector_stores/[e]/search

Next-Action

Next-HMR-Refresh

Next-Router-Prefetch

Next-Router-Segment-Prefetch

Next-Router-State-Tree

Next-Url

OpenAI-Beta

OpenAI-Organization

OpenAI-Project

RSC

X-Stainless-Custom-Poll-Interval

X-Stainless-Helper-Method

X-Stainless-Poll-Helper

anthropic-version

x-action-redirect

x-action-revalidated

x-goog-api-client

x-goog-api-key

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

x-stainless-retry-count

x-stainless-timeout

Security Findings

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #1 of 3

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://studentsgpt.ai

Remediation

Add a Content-Security-Policy header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] } ```

INFO

Missing X-Content-Type-Options Header

The X-Content-Type-Options header is not set

Finding #2 of 3

The X-Content-Type-Options header is not set. This header prevents MIME-sniffing attacks by instructing browsers to respect the declared Content-Type. Modern browsers have largely mitigated MIME-sniffing risks.

Location

https://studentsgpt.ai

Remediation

Add an X-Content-Type-Options header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'X-Content-Type-Options', value: 'nosniff' }, ], }] } ```

INFO

Missing X-Frame-Options Header

The X-Frame-Options header is not set

Finding #3 of 3

The X-Frame-Options header is not set. This header prevents clickjacking attacks by controlling whether the page can be embedded in iframes. Note that CSP's frame-ancestors directive supersedes this header in modern browsers.

Location

https://studentsgpt.ai

Remediation

Add an X-Frame-Options header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'X-Frame-Options', value: 'DENY' }, ], }] } ``` Or use CSP's frame-ancestors directive for more flexibility.

studentsgpt.ai

Attack Surface

Routes (144)

Custom Headers (25)

Security Findings

Missing Content-Security-Policy Header

Missing X-Content-Type-Options Header

Missing X-Frame-Options Header