The environment secrets file at /.env is served publicly and returned HTTP 200 with plausible content, potentially leaking secrets, source, or infrastructure details.
Fix. Block access to dotfiles, VCS metadata, backups, and config from the web root. Serve only intended public assets.
Appending a quote character to this parameter produced a database error signature in the response, indicating input is concatenated into a SQL statement.
Fix. Use parameterized queries or prepared statements. Never build SQL by string concatenation and suppress verbose database errors.
A unique probe injected into this parameter was reflected in the HTML response without encoding, so attacker-controlled markup executes in the victim browser.
Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
The response reflects an attacker-supplied Origin into Access-Control-Allow-Origin while also allowing credentials, letting a malicious site read authenticated responses.
Fix. Validate Origin against a strict server-side allowlist and never combine a wildcard or reflected origin with Access-Control-Allow-Credentials: true.
No Content-Security-Policy header was returned. CSP is the primary defense-in-depth control against cross-site scripting and data injection in the browser.
Fix. Set a Content-Security-Policy that restricts script and object sources to trusted origins.