69 lines
1.8 KiB
Markdown
69 lines
1.8 KiB
Markdown
# Framework Coverage Matrix
|
|
|
|
## Next.js Pages Router
|
|
|
|
Inspect:
|
|
|
|
- `pages/api/**`
|
|
- `pages/**` forms that mutate state
|
|
- auth middleware or wrappers
|
|
- custom server or API helpers
|
|
- database and service layers under `lib/`, `src/lib/`, `utils/`
|
|
|
|
Common risks:
|
|
|
|
- missing input validation on `req.body`, `req.query`, `req.cookies`
|
|
- auth present in UI but absent in API route
|
|
- raw SQL, raw prisma calls, unsafe shell execution
|
|
- weak CORS or no rate limiting
|
|
- JWTs in browser storage
|
|
|
|
## Next.js App Router
|
|
|
|
Inspect:
|
|
|
|
- `app/api/**/route.*`
|
|
- server actions and shared action helpers
|
|
- `middleware.*`
|
|
- route handlers for admin, billing, webhooks, exports, file upload
|
|
- dynamic segments and rewrite/proxy behavior
|
|
|
|
Common risks:
|
|
|
|
- authorization gaps in route handlers or server actions
|
|
- assuming middleware alone is sufficient for object-level authorization
|
|
- exposing secrets through `NEXT_PUBLIC_*`
|
|
- unsafe `fetch()` to user-controlled destinations on the server
|
|
- webhook endpoints without signature checks
|
|
|
|
## React-only projects
|
|
|
|
Inspect:
|
|
|
|
- `src/contexts`, `src/providers`, auth hooks
|
|
- route guards and protected route components
|
|
- `src/services`, `src/api`, `src/lib/api*`, axios/fetch wrappers
|
|
- components rendering markdown/html/user content
|
|
- upload components, editors, and preview flows
|
|
- environment variable references in client code
|
|
|
|
Common risks:
|
|
|
|
- secrets bundled into client code
|
|
- tokens stored in `localStorage`
|
|
- assuming hidden buttons or client guards equal real authorization
|
|
- unsanitized HTML/markdown rendering
|
|
- insecure direct API calls to privileged endpoints
|
|
|
|
## Shared code and monorepos
|
|
|
|
Inspect shared packages for:
|
|
|
|
- auth helpers
|
|
- db helpers
|
|
- ai clients and prompt builders
|
|
- logging utilities
|
|
- file and URL utilities
|
|
|
|
When shared code affects multiple apps, note the likely blast radius.
|