Health check endpoint exists

Why it matters

NIST AU-2 requires that systems generate audit records for events sufficient to support incident investigation, and a health check endpoint is the single most important hook for external monitoring and orchestration systems. Without a dedicated health endpoint, uptime monitors are forced to check your homepage — which may return 200 even when your database is unreachable or your API is broken. Load balancers and container orchestrators (ECS, Kubernetes, Fly.io) also depend on health endpoints to route traffic and restart failed instances. A missing health check means your monitoring tools and infrastructure cannot reliably determine whether your application is actually functional.

Remediation

Create a health endpoint at a standard path that returns HTTP 200 when the application is operational.

For Next.js App Router, create app/api/health/route.ts:

import { NextResponse } from 'next/server'

export async function GET() {
  // Optional: verify DB connectivity
  // try {
  //   await db.execute('SELECT 1')
  // } catch {
  //   return NextResponse.json({ status: 'error', reason: 'db' }, { status: 503 })
  // }
  return NextResponse.json({
    status: 'ok',
    timestamp: new Date().toISOString()
  })
}

Point your uptime monitor to https://yourapp.com/api/health and configure it to expect HTTP 200. For deeper health checks, add database and cache connectivity probes so the monitor fails fast when dependencies are down rather than when the load balancer times out.

Detection

ID: saas-logging.monitoring.health-check-endpoint
Severity: medium
What to look for: Enumerate all relevant files and Search for a health check endpoint route. Look for: app/api/health/route.ts, app/api/healthz/route.ts, pages/api/health.ts, pages/api/healthz.ts, a route that responds to GET /health, /healthz, /ping, or /status. The endpoint should return a 200 OK response when the application is healthy. A bonus check: does it verify downstream dependencies (database connectivity, cache) or just return a static response?
Pass criteria: At least 1 implementation must be present. A dedicated health check endpoint exists that returns HTTP 200 when the application is running. The endpoint is at a predictable path (/api/health, /api/healthz, /health, /healthz, or /ping).
Fail criteria: No health check endpoint found at any standard path.
Skip (N/A) when: Never — every application with an uptime monitor needs a health check endpoint.
Detail on fail: "No health check endpoint found at /api/health, /api/healthz, /health, /healthz, or /ping"
Remediation: A health check endpoint is the target for your uptime monitor and load balancer. Without one, uptime monitors check your homepage (which may succeed even if your API is broken) or have nothing to check at all.

For Next.js App Router, create app/api/health/route.ts:
```
import { NextResponse } from 'next/server'

export async function GET() {
  // Optionally check database connectivity:
  // try { await db.execute('SELECT 1') } catch { return NextResponse.json({ status: 'error' }, { status: 503 }) }
  return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
}
```
Point your uptime monitor to https://yourapp.com/api/health. The monitor should expect a 200 status code.

Why it matters

Remediation

Create a health endpoint at a standard path that returns HTTP 200 when the application is operational.

For Next.js App Router, create app/api/health/route.ts:

import { NextResponse } from 'next/server'

export async function GET() {
  // Optional: verify DB connectivity
  // try {
  //   await db.execute('SELECT 1')
  // } catch {
  //   return NextResponse.json({ status: 'error', reason: 'db' }, { status: 503 })
  // }
  return NextResponse.json({
    status: 'ok',
    timestamp: new Date().toISOString()
  })
}

Detection

ID: saas-logging.monitoring.health-check-endpoint
Severity: medium
What to look for: Enumerate all relevant files and Search for a health check endpoint route. Look for: app/api/health/route.ts, app/api/healthz/route.ts, pages/api/health.ts, pages/api/healthz.ts, a route that responds to GET /health, /healthz, /ping, or /status. The endpoint should return a 200 OK response when the application is healthy. A bonus check: does it verify downstream dependencies (database connectivity, cache) or just return a static response?
Pass criteria: At least 1 implementation must be present. A dedicated health check endpoint exists that returns HTTP 200 when the application is running. The endpoint is at a predictable path (/api/health, /api/healthz, /health, /healthz, or /ping).
Fail criteria: No health check endpoint found at any standard path.
Skip (N/A) when: Never — every application with an uptime monitor needs a health check endpoint.
Detail on fail: "No health check endpoint found at /api/health, /api/healthz, /health, /healthz, or /ping"
Remediation: A health check endpoint is the target for your uptime monitor and load balancer. Without one, uptime monitors check your homepage (which may succeed even if your API is broken) or have nothing to check at all.

For Next.js App Router, create app/api/health/route.ts:
```
import { NextResponse } from 'next/server'

export async function GET() {
  // Optionally check database connectivity:
  // try { await db.execute('SELECT 1') } catch { return NextResponse.json({ status: 'error' }, { status: 503 }) }
  return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
}
```
Point your uptime monitor to https://yourapp.com/api/health. The monitor should expect a 200 status code.

Health check endpoint exists

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Health check endpoint exists

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History