- Context: Cloud
- Category: Vulnerability
- Severity: High
Evidence
next.config.ts contains only:
// next.config.ts
const nextConfig: NextConfig = {
reactStrictMode: true,
};No headers() configuration is present. As a result:
| Missing control |
Risk |
Rate limiting on /api/* |
Abuse of Valyu/OpenAI API keys by any client; DoS via credit exhaustion |
Content-Security-Policy |
Increases XSS impact severity (token theft from localStorage) |
Strict-Transport-Security |
Browser does not enforce HTTPS on subsequent loads |
X-Frame-Options / frame-ancestors |
Clickjacking attacks possible |
| CORS policy |
Any website can make cross-origin requests to the API routes |
X-Content-Type-Options |
MIME-sniffing attacks |
API routes such as /api/events (POST), /api/reports (POST), and /api/entities (GET) are callable by any origin with no restriction. An attacker who discovers the endpoint can exhaust Valyu and OpenAI credits by submitting bulk requests.
Affected files: next.config.ts
Evidence
next.config.tscontains only:No
headers()configuration is present. As a result:/api/*Content-Security-PolicylocalStorage)Strict-Transport-SecurityX-Frame-Options/frame-ancestorsX-Content-Type-OptionsAPI routes such as
/api/events(POST),/api/reports(POST), and/api/entities(GET) are callable by any origin with no restriction. An attacker who discovers the endpoint can exhaust Valyu and OpenAI credits by submitting bulk requests.Affected files:
next.config.ts