At least one security middleware export is detected

ab-000283 · ai-slop-security-theater.unapplied-middleware.security-middleware-export-detected

Severity: infoactive

Why it matters

A project with 12 API routes and no centralized security middleware layer means security decisions are made (or forgotten) per-route. OWASP A05 (Security Misconfiguration) describes the systemic risk: when there is no single chokepoint, individual routes can omit headers, skip auth checks, or miss rate limits without any centralized catch. This is an architectural signal — it doesn't mean every route is insecure, but it means there is no structural guarantee.

Severity rationale

Info because the absence of a security middleware layer increases the probability of per-route omissions but does not directly confirm exploitability.

Remediation

Create a centralized security middleware layer that every request passes through. For Next.js, use middleware.ts at the project root:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
  return response
}

export const config = { matcher: '/api/:path*' }

For Express, mount security middleware (helmet(), rate limiting, CORS) before any route definitions in src/server.ts or src/app.ts.

Detection

ID: security-middleware-export-detected
Severity: info
What to look for: Walk source files for the presence of a middleware.ts/middleware.js file at the project root or under src/ (Next.js convention) OR an Express/Fastify/Koa server entry point that calls .use(...) at least once with what appears to be a security-related middleware (helmet, cors, csurf, rate limiter, custom auth, custom CSRF). Count all .use(...) calls AND whether any of them reference known security libraries.
Pass criteria: Either middleware.ts exists (Next.js) OR at least 1 .use(...) call referencing a security library is found. Report: "Security middleware detected: [type] — [N] .use() calls referencing security libraries."
Fail criteria: No middleware.ts AND no .use(...) calls reference any security library AND the project has any API routes.
Skip (N/A) when: Project has 0 API routes (static site, no server-side code).
Detail on fail: "No middleware.ts and no .use() calls reference security libraries. The project has 12 API routes but no centralized security middleware layer."

Remediation: Centralizing security in middleware ensures every request goes through the same checks. For Next.js, create middleware.ts:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  return response
}

For Express, mount security middleware before route handlers.

External references

owasp:2021 · A05 — Security Misconfiguration

Taxons

placeholder-hygiene

History

2026-04-18·v1.0.0·Initial import from ai-slop-security-theater·automated