Security Audit Report

SECURITY-AUDIT-2026-01-27.pdf

10 findingsScanned Jan 27, 2026

vednoir.com

App Router

7High

3Low

Attack Surface

Routes

Query Params

Custom Headers

GET

/api/auth

POST

/api/logout

GET

/api/recommendations

?exclude?limit

POST

/api/send

GET

/api/session

POST

/api/subscribe

GET

/botanical-elixir

GET

/botanical-wisdom

GET

/cdn-cgi/l/email-protection

GET

/change-email

GET

/checkout

GET

/customer-support

GET

/dashboard

GET

/dashboard/orders

POST

/delete-user

GET

/get-session

GET

/herbal-ritual-oil

GET

/journal

GET

/login

GET

/phone-number/update

GET

/phone-number/verify

GET

/privacy

GET

/privacy-policy

GET

/returns-refunds

POST

/revoke-other-sessions

GET

/revoke-session

POST

/revoke-sessions

GET

/ritual-guide

GET

/seasonal-launches

GET

/shipping-policy

GET

/shop

GET

/sign-in/email

GET

/sign-in/phone-number

POST

/sign-out

GET

/sign-up/email

GET

/terms

GET

/update-user

GET

/verify

?next

GET

/verify-email

GET

/wishlist

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

x-action-redirect

x-action-revalidated

x-forwarded-host

x-forwarded-proto

x-nextjs-action-not-found

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

7 findings redacted

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#1 of 12

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#2 of 12

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#3 of 12

HIGH

Missing access control

Endpoints lack proper authorization checks.

#4 of 12

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#5 of 12

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#6 of 12

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#7 of 12

LOW

Unauthenticated Endpoint: /api/recommendations

Endpoint is accessible without authentication (HTTP 200)

Finding #8 of 12

Endpoint is accessible without authentication (HTTP 200)

Location

https://vednoir.com/api/recommendations

Remediation

Review if this endpoint should require authentication

LOW

Unauthenticated Endpoint: /api/session

Endpoint is accessible without authentication (HTTP 200)

Finding #9 of 12

Endpoint is accessible without authentication (HTTP 200)

Location

https://vednoir.com/api/session

Remediation

Review if this endpoint should require authentication

LOW

Missing Content-Security-Policy Header

The Content-Security-Policy header is not set

Finding #10 of 12

The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.

Location

https://vednoir.com

Remediation

Add a Content-Security-Policy header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] } ```

INFO

Missing X-Content-Type-Options Header

The X-Content-Type-Options header is not set

Finding #11 of 12

The X-Content-Type-Options header is not set. This header prevents MIME-sniffing attacks by instructing browsers to respect the declared Content-Type. Modern browsers have largely mitigated MIME-sniffing risks.

Location

https://vednoir.com

Remediation

Add an X-Content-Type-Options header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'X-Content-Type-Options', value: 'nosniff' }, ], }] } ```

INFO

Missing X-Frame-Options Header

The X-Frame-Options header is not set

Finding #12 of 12

The X-Frame-Options header is not set. This header prevents clickjacking attacks by controlling whether the page can be embedded in iframes. Note that CSP's frame-ancestors directive supersedes this header in modern browsers.

Location

https://vednoir.com

Remediation

Add an X-Frame-Options header in next.config.js: ```javascript async headers() { return [{ source: '/(.*)', headers: [ { key: 'X-Frame-Options', value: 'DENY' }, ], }] } ``` Or use CSP's frame-ancestors directive for more flexibility.

vednoir.com

Attack Surface

Routes (41)

Custom Headers (17)

Security Findings

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Unauthenticated Endpoint: /api/recommendations

Unauthenticated Endpoint: /api/session

Missing Content-Security-Policy Header

Missing X-Content-Type-Options Header

Missing X-Frame-Options Header