At least one security middleware export is detected

Why it matters

A project with 12 API routes and no centralized security middleware layer means security decisions are made (or forgotten) per-route. OWASP A05 (Security Misconfiguration) describes the systemic risk: when there is no single chokepoint, individual routes can omit headers, skip auth checks, or miss rate limits without any centralized catch. This is an architectural signal — it doesn't mean every route is insecure, but it means there is no structural guarantee.

Remediation

Create a centralized security middleware layer that every request passes through. For Next.js, use middleware.ts at the project root:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
  return response
}

export const config = { matcher: '/api/:path*' }

For Express, mount security middleware (helmet(), rate limiting, CORS) before any route definitions in src/server.ts or src/app.ts.

Detection

ID: ai-slop-security-theater.unapplied-middleware.security-middleware-export-detected
Severity: info
What to look for: Walk source files for the presence of a middleware.ts/middleware.js file at the project root or under src/ (Next.js convention) OR an Express/Fastify/Koa server entry point that calls .use(...) at least once with what appears to be a security-related middleware (helmet, cors, csurf, rate limiter, custom auth, custom CSRF). Count all .use(...) calls AND whether any of them reference known security libraries.
Pass criteria: Either middleware.ts exists (Next.js) OR at least 1 .use(...) call referencing a security library is found. Report: "Security middleware detected: [type] — [N] .use() calls referencing security libraries."
Fail criteria: No middleware.ts AND no .use(...) calls reference any security library AND the project has any API routes.
Skip (N/A) when: Project has 0 API routes (static site, no server-side code).
Detail on fail: "No middleware.ts and no .use() calls reference security libraries. The project has 12 API routes but no centralized security middleware layer."

Remediation: Centralizing security in middleware ensures every request goes through the same checks. For Next.js, create middleware.ts:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  return response
}

For Express, mount security middleware before route handlers.

Why it matters

Remediation

Create a centralized security middleware layer that every request passes through. For Next.js, use middleware.ts at the project root:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
  return response
}

export const config = { matcher: '/api/:path*' }

For Express, mount security middleware (helmet(), rate limiting, CORS) before any route definitions in src/server.ts or src/app.ts.

Detection

ID: ai-slop-security-theater.unapplied-middleware.security-middleware-export-detected
Severity: info
What to look for: Walk source files for the presence of a middleware.ts/middleware.js file at the project root or under src/ (Next.js convention) OR an Express/Fastify/Koa server entry point that calls .use(...) at least once with what appears to be a security-related middleware (helmet, cors, csurf, rate limiter, custom auth, custom CSRF). Count all .use(...) calls AND whether any of them reference known security libraries.
Pass criteria: Either middleware.ts exists (Next.js) OR at least 1 .use(...) call referencing a security library is found. Report: "Security middleware detected: [type] — [N] .use() calls referencing security libraries."
Fail criteria: No middleware.ts AND no .use(...) calls reference any security library AND the project has any API routes.
Skip (N/A) when: Project has 0 API routes (static site, no server-side code).
Detail on fail: "No middleware.ts and no .use() calls reference security libraries. The project has 12 API routes but no centralized security middleware layer."

Remediation: Centralizing security in middleware ensures every request goes through the same checks. For Next.js, create middleware.ts:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()
  response.headers.set('X-Content-Type-Options', 'nosniff')
  response.headers.set('X-Frame-Options', 'DENY')
  return response
}

For Express, mount security middleware before route handlers.

At least one security middleware export is detected

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

At least one security middleware export is detected

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History