Legal pages accessible without login or account creation

Why it matters

GDPR Art. 12(1) requires that privacy information be "easily accessible" — meaning accessible before users provide personal data, without requiring account creation. GDPR Art. 13 requires this disclosure at the point of collection. CCPA §1798.130(a)(5)(A) independently requires the privacy policy to be accessible to consumers "upon request" without authentication barriers. CWE-284 (Improper Access Control) classifies gating public legal information behind authentication as an access control defect. If legal pages are only visible after login, users cannot review the terms they are agreeing to before agreeing — which courts and regulators treat as coercive.

Remediation

Explicitly exclude all legal page routes from your authentication middleware in middleware.ts. Never rely on a default-allow pattern — name the routes explicitly.

// middleware.ts — explicitly exclude legal pages
const PUBLIC_ROUTES = [
  '/',
  '/login',
  '/register',
  '/terms',
  '/privacy',
  '/privacy-policy',
  '/refund-policy',
  '/acceptable-use',
  '/dmca',
  '/legal',
]

export function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl
  const isPublic = PUBLIC_ROUTES.some(
    route => pathname === route || pathname.startsWith(`${route}/`)
  )
  if (isPublic) return NextResponse.next()
  // ... your existing auth check
}

Verify by visiting /terms, /privacy, and any other legal routes in an incognito window with no session cookies. Each must return page content, not a login redirect.

Detection

ID: legal-pages-compliance.accessibility-currency.accessible-without-auth
Severity: high
What to look for: Enumerate every relevant item. Check the authentication middleware or route protection configuration for the application. In Next.js, look at middleware.ts (or middleware.js) for the matcher config — does it include /terms, /privacy, /refund-policy, or /legal/* in protected routes? Check whether legal pages redirect unauthenticated users to a login page. Attempt to access legal page routes without authentication in your analysis. For server-rendered pages, check if the page component calls getServerSession, auth(), requireAuth(), or similar and redirects if no session is found. For SPAs, check whether the router guards in the client-side routing block these routes. Legal pages must always be publicly accessible — GDPR and consumer protection laws require that privacy policies be accessible before users create an account.
Pass criteria: At least 1 of the following conditions is met. All legal pages (Terms of Service, Privacy Policy, Refund Policy, AUP, DMCA if applicable) are accessible without authentication. Navigating to any legal page route without a session returns the page content, not a redirect to login.
Fail criteria: Any legal page redirects to the login page when accessed without authentication. Legal pages are only visible to logged-in users. The middleware config inadvertently includes legal page routes in its protected set.
Skip (N/A) when: No legal pages exist in the project at all (no /terms, /privacy, /refund, /aup, /dmca or equivalent routes). If the application has no legal pages, there is nothing to check for accessibility — the absence of legal pages is covered by the required-pages checks. Do NOT skip based on absence of an auth dependency in package.json; many applications use route groups or middleware for access control even with minimal auth library footprint. Evaluate whether the routes that do exist are accessible.
Detail on fail: Specify which pages are affected. Example: "Middleware matcher pattern '/((?!_next|api).*)' matches all routes including /terms and /privacy, redirecting unauthenticated users to login. Legal pages not publicly accessible." or "Privacy Policy route checks for session and redirects to /login if not authenticated.".

Remediation: Exclude legal pages from authentication middleware:

// middleware.ts — exclude legal pages from auth requirements
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

// Public routes that never require authentication
const PUBLIC_ROUTES = [
  '/',
  '/login',
  '/register',
  '/terms',
  '/privacy',
  '/privacy-policy',
  '/refund-policy',
  '/acceptable-use',
  '/dmca',
  '/legal',
  // Add any sub-routes of /legal as needed
]

export function proxy(req: NextRequest) {
  const { pathname } = req.nextUrl

  const isPublic = PUBLIC_ROUTES.some(route =>
    pathname === route || pathname.startsWith(`${route}/`)
  )

  if (isPublic) return NextResponse.next()

  // ... your existing auth check
}

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico|api/).*)'],
}

Verify by visiting each legal page route in an incognito/private browser window with no cookies set.

External references

gdpr · Art. 13 — Privacy information must be provided at time of data collection — inaccessible-behind-auth policy violates this

gdpr · Art. 12(1) — Transparent information must be provided in easily accessible form

ccpa · §1798.130(a)(5)(A) — Privacy notice must be available to consumers without requiring account creation

cwe · CWE-284 — Improper Access Control — legal routes inadvertently covered by auth middleware

Why it matters

Remediation

Explicitly exclude all legal page routes from your authentication middleware in middleware.ts. Never rely on a default-allow pattern — name the routes explicitly.

// middleware.ts — explicitly exclude legal pages
const PUBLIC_ROUTES = [
  '/',
  '/login',
  '/register',
  '/terms',
  '/privacy',
  '/privacy-policy',
  '/refund-policy',
  '/acceptable-use',
  '/dmca',
  '/legal',
]

export function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl
  const isPublic = PUBLIC_ROUTES.some(
    route => pathname === route || pathname.startsWith(`${route}/`)
  )
  if (isPublic) return NextResponse.next()
  // ... your existing auth check
}

Verify by visiting /terms, /privacy, and any other legal routes in an incognito window with no session cookies. Each must return page content, not a login redirect.

Detection

ID: legal-pages-compliance.accessibility-currency.accessible-without-auth
Severity: high
What to look for: Enumerate every relevant item. Check the authentication middleware or route protection configuration for the application. In Next.js, look at middleware.ts (or middleware.js) for the matcher config — does it include /terms, /privacy, /refund-policy, or /legal/* in protected routes? Check whether legal pages redirect unauthenticated users to a login page. Attempt to access legal page routes without authentication in your analysis. For server-rendered pages, check if the page component calls getServerSession, auth(), requireAuth(), or similar and redirects if no session is found. For SPAs, check whether the router guards in the client-side routing block these routes. Legal pages must always be publicly accessible — GDPR and consumer protection laws require that privacy policies be accessible before users create an account.
Pass criteria: At least 1 of the following conditions is met. All legal pages (Terms of Service, Privacy Policy, Refund Policy, AUP, DMCA if applicable) are accessible without authentication. Navigating to any legal page route without a session returns the page content, not a redirect to login.
Fail criteria: Any legal page redirects to the login page when accessed without authentication. Legal pages are only visible to logged-in users. The middleware config inadvertently includes legal page routes in its protected set.
Skip (N/A) when: No legal pages exist in the project at all (no /terms, /privacy, /refund, /aup, /dmca or equivalent routes). If the application has no legal pages, there is nothing to check for accessibility — the absence of legal pages is covered by the required-pages checks. Do NOT skip based on absence of an auth dependency in package.json; many applications use route groups or middleware for access control even with minimal auth library footprint. Evaluate whether the routes that do exist are accessible.
Detail on fail: Specify which pages are affected. Example: "Middleware matcher pattern '/((?!_next|api).*)' matches all routes including /terms and /privacy, redirecting unauthenticated users to login. Legal pages not publicly accessible." or "Privacy Policy route checks for session and redirects to /login if not authenticated.".

Remediation: Exclude legal pages from authentication middleware:

// middleware.ts — exclude legal pages from auth requirements
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

// Public routes that never require authentication
const PUBLIC_ROUTES = [
  '/',
  '/login',
  '/register',
  '/terms',
  '/privacy',
  '/privacy-policy',
  '/refund-policy',
  '/acceptable-use',
  '/dmca',
  '/legal',
  // Add any sub-routes of /legal as needed
]

export function proxy(req: NextRequest) {
  const { pathname } = req.nextUrl

  const isPublic = PUBLIC_ROUTES.some(route =>
    pathname === route || pathname.startsWith(`${route}/`)
  )

  if (isPublic) return NextResponse.next()

  // ... your existing auth check
}

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico|api/).*)'],
}

Verify by visiting each legal page route in an incognito/private browser window with no cookies set.

External references

gdpr · Art. 13 — Privacy information must be provided at time of data collection — inaccessible-behind-auth policy violates this

gdpr · Art. 12(1) — Transparent information must be provided in easily accessible form

ccpa · §1798.130(a)(5)(A) — Privacy notice must be available to consumers without requiring account creation

cwe · CWE-284 — Improper Access Control — legal routes inadvertently covered by auth middleware

Legal pages accessible without login or account creation

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Legal pages accessible without login or account creation

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History