Files

69 lines
1.8 KiB
Markdown

# Framework Coverage Matrix
## Next.js Pages Router
Inspect:
- `pages/api/**`
- `pages/**` forms that mutate state
- auth middleware or wrappers
- custom server or API helpers
- database and service layers under `lib/`, `src/lib/`, `utils/`
Common risks:
- missing input validation on `req.body`, `req.query`, `req.cookies`
- auth present in UI but absent in API route
- raw SQL, raw prisma calls, unsafe shell execution
- weak CORS or no rate limiting
- JWTs in browser storage
## Next.js App Router
Inspect:
- `app/api/**/route.*`
- server actions and shared action helpers
- `middleware.*`
- route handlers for admin, billing, webhooks, exports, file upload
- dynamic segments and rewrite/proxy behavior
Common risks:
- authorization gaps in route handlers or server actions
- assuming middleware alone is sufficient for object-level authorization
- exposing secrets through `NEXT_PUBLIC_*`
- unsafe `fetch()` to user-controlled destinations on the server
- webhook endpoints without signature checks
## React-only projects
Inspect:
- `src/contexts`, `src/providers`, auth hooks
- route guards and protected route components
- `src/services`, `src/api`, `src/lib/api*`, axios/fetch wrappers
- components rendering markdown/html/user content
- upload components, editors, and preview flows
- environment variable references in client code
Common risks:
- secrets bundled into client code
- tokens stored in `localStorage`
- assuming hidden buttons or client guards equal real authorization
- unsanitized HTML/markdown rendering
- insecure direct API calls to privileged endpoints
## Shared code and monorepos
Inspect shared packages for:
- auth helpers
- db helpers
- ai clients and prompt builders
- logging utilities
- file and URL utilities
When shared code affects multiple apps, note the likely blast radius.