- Request handlers
- Endpoint declaration
- User permissions and user flags
- Content types
Highest-signal areas to watch
1) Auth & session flows
- Token handling: new uses of
localStorage
/sessionStorage
/indexedDB
/postMessage
or cookies with access|auth|id|jwt|token
. Alert on tokens stored outside httpOnly cookies; watch for SameSite=None
without Secure
.
- OAuth/OIDC: new/changed
redirect_uri
, post_logout_redirect_uri
, altered PKCE/state usage; addition of social login providers.
- Password reset / magic links: new endpoints with
reset
, recovery
, verify
, otp
, code
, token
.
2) Privilege & feature-controls (beyond user flags)
- Feature flags / AB tests: discovery of new flags like
enableAdmin
, betaPayments
, bypassKyc
. Monitor for flags checked only client-side.
- Role leakage: strings like
isStaff
, isInternal
, entitlements
, scopes
. Alert when code gates UI only in JS.
3) Endpoint discovery (beyond declarations)
- Hidden APIs: scrape JS bundles for URLs:
/(wss?|https?):\\/\\/[^"' )]+/
. Include GraphQL (/graphql
) and WebSocket endpoints.
- Method/verb expansion: watch for
DELETE
, PUT
, PATCH
, OPTIONS
becoming allowed on existing paths.
- Parameter shape drift: new query/body fields, especially
role
, price
, discount
, is_admin
, user_id
, owner_id
, redirect
, returnTo
.
4) Source maps & build artifacts
- Leaked source maps:
.map
files yielding readable source, comments, internal endpoints, secrets, or TODOs.
- Debug builds / env leakage:
__DEV__
, NEXT_PUBLIC_*
, REACT_APP_*
, Vite import.meta.env.*
appearing with sensitive data.
5) Client-side sinks & sanitization