Security Audit Report
Pages Router
8
Routes
0
Query Params
4
Custom Headers
Credentials or API keys may be exposed in client-side code.
User input rendered without proper sanitization.
Database queries constructed using unsanitized user input.
Untrusted data deserialized without validation.
Endpoint is accessible without authentication (HTTP 200)
Endpoint is accessible without authentication (HTTP 200)
Location
https://wpengine.com/console
Remediation
Review if this endpoint should require authentication
Endpoint is accessible without authentication (HTTP 200)
Endpoint is accessible without authentication (HTTP 200)
Location
https://wpengine.com/dev
Remediation
Review if this endpoint should require authentication
The Content-Security-Policy header is not set
The Content-Security-Policy header is not set. CSP provides defense-in-depth against XSS and data injection attacks by restricting resource loading sources.
Location
https://wpengine.com
Remediation
Add a Content-Security-Policy header in next.config.js:
async headers() { return [{ source: '/(.*)', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" }, ], }] }
