SchmiemanDev
Back to portfolio
Cyber Security
2026-03-20

Security Assessment & Pre-Release Audit

A comprehensive security audit of a full-stack web application, identifying and remediating critical vulnerabilities in access control, state management, and API exposure.

Application Security Penetration Testing RBAC XSS Mitigation API Hardening Node.js

Before the official release of a client's web application, I conducted a thorough security assessment to identify potential risks and vulnerabilities. The audit focused on the backend API architecture and frontend state management, ensuring the platform met modern security standards before handling real user data.

Project Overview

The objective was to perform a Manual Secure Code Review and dynamic API testing. I aimed to identify flaws that could lead to unauthorized data access, session hijacking, or information leakage. The assessment uncovered several critical issues that required immediate remediation to ensure a secure production environment.

Core Challenges

The initial audit revealed several structural security weaknesses:

  • Broken Access Control: Administrative routes were accessible to any authenticated user, regardless of their role, exposing sensitive user and order data.
  • Insecure Data Storage: High-sensitivity data, including authentication tokens and user details, were stored in the client-side state, making them vulnerable to Cross-Site Scripting (XSS) attacks.
  • API Over-exposure: The API was configured with overly permissive CORS policies and exposed internal database fields, providing a larger attack surface for malicious actors.

Engineering the Solution

I implemented a series of security enhancements to harden both the frontend and backend:

  • Role-Based Access Control (RBAC): I refactored the backend middleware to enforce strict "admin" and "superAdmin" roles, ensuring that sensitive management endpoints are only accessible to authorized personnel.
  • Secure State Management: I migrated the storage of sensitive authentication tokens to HttpOnly cookies. This architectural change prevents JavaScript-based access to tokens, effectively neutralizing the risk of token theft via XSS.
  • API Hardening: I restricted CORS to trusted origins and implemented explicit field selection for database queries. This ensures that internal system metadata and sensitive user fields are never leaked in API responses.
  • Production Sanitization: I identified and removed exposed debug and test endpoints that were active in the production environment, reducing the overall footprint of the application.

Operational Impact

By addressing these findings prior to launch, the application’s security posture was significantly strengthened. The implementation of RBAC and secure cookie-based authentication provided a robust defense against unauthorized access and session hijacking. These proactive measures ensured that the platform could safely handle sensitive transactions and user data from day one.

View all projectsStart your project