Security

Steps

1. Review security posture across the application

Verify (8 checks)

• All pages served over HTTPS
• No sensitive data (API keys, passwords) exposed in client-side code or network responses
• API routes return 401 for unauthenticated requests
• Users cannot access other users' documents via direct URL manipulation (IDOR prevention)
• XSS protection: HTML input is escaped in comments, document titles, share links
• SSRF prevention: PDF proxy validates URLs (no internal network access)
• SQL injection: all database queries use parameterized inputs (Prisma ORM)
• CSRF protection: session tokens are HTTP-only cookies