vercel/next.js · PR #12345
feat: add security headers middleware
🧪 This is a synthetic test review. Approving comments will NOT post to GitHub — it just confirms the pipeline works end-to-end.
📄 middleware/security.ts
line 42
(RIGHT)
**[HIGH] Potential XSS via innerHTML**\n\nThis line uses `innerHTML` with unsanitized user input (`req.body`). An attacker could inject `<script>` tags or event handlers. Use `textContent` or a sanitization library instead.\n\n```ts\n// Recommended fix:\nelement.textContent = userInput;\n// Or use DOMPurify:\nconst clean = DOMPurify.sanitize(userInput);\n```
line 67
(RIGHT)
**[MEDIUM] Missing CSRF token validation**\n\nThis form handler does not verify a CSRF token. POST requests from malicious sites can forge submissions. Add CSRF middleware before processing.
📄 utils/auth.js
line 12
(RIGHT)
**[HIGH] Hardcoded API key in source**\n\n`API_KEY` appears to be hardcoded here. Move secrets to environment variables — they will be logged or leaked if this code is ever committed to a public repo.