Domain 07 / 12

Frontend & Backend security audit

Strip secrets and debug leaks from the client, and shut down misconfigurations on the server.

  • 39 checks
  • Client-side and server-side hardening

Run the audit See example checks

What securmyapp checks

Inside the Frontend & Backend domain

This is the Frontend & Backend domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Frontend & Backend domain hardens both sides of the app. On the client, securmyapp flags secrets in JS bundles, missing Subresource Integrity, unvalidated postMessage, sensitive data in localStorage and exposed sourcemaps. On the server, it catches verbose errors and stack traces, debug/dev mode in production, directory listing, default files and mass-assignment binding flaws.

Coverage areas

39 atomic checks span these sub-domains.

  • Frontend secrets

    No API keys or secrets shipped in the client bundle.

  • Client integrity

    Subresource Integrity (SRI) and strict postMessage validation.

  • Client storage

    No PII or tokens in localStorage/sessionStorage.

  • Debug hygiene

    No console leaks, no exposed sourcemaps in production.

  • Server config

    No debug/dev mode, hardened error handling, no directory listing.

  • Backend binding

    Allowlisted, mass-assignment-safe field binding.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Frontend & Backend security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
No secrets on the frontendHighKeys or secrets embedded in client-side JavaScript.CWE-798 · ASVS V13
Vulnerable frontend dependenciesHighKnown CVEs in frontend JS libraries (XSS/RCE).A06:2021
Server configuration hardeningHighDebug or dev mode left enabled in production.A05:2021 · ASVS V13 · CIS
Mass assignment on the backend (binding)HighUncontrolled binding that enables privilege escalation.CWE-915 · API3:2023
Subresource Integrity (SRI)MediumThird-party scripts loaded without an SRI hash.ASVS V3 · CWE-353
Backend error handling (no stack trace)MediumStack traces and verbose errors disclosing internals.CWE-209 · WSTG-ERRH-01

Vulnerabilities we catch

  • API keys and secrets shipped in the client bundle
  • Missing Subresource Integrity on third-party scripts
  • PII and tokens stored in localStorage/sessionStorage
  • Exposed sourcemaps and debug output in production
  • Debug/dev mode, directory listing and default files on the server
  • Mass-assignment binding leading to privilege escalation

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Frontend & Backend — questions & answers

Can it find secrets shipped to the browser?

Yes. It scans the client bundle with gitleaks for any API key or secret, since anything shipped to the frontend is fully readable by attackers.

What server misconfigurations does it detect?

Debug/dev mode in production, verbose error pages and stack traces, directory listing, leftover default files, and mass-assignment binding flaws — the OWASP A05:2021 Security Misconfiguration class.

Does it check client-side storage?

It flags PII and tokens placed in localStorage or sessionStorage, which are exfiltrable via XSS, and recommends safer storage patterns.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.