Domain 07 / 12
Frontend & Backend security audit
Strip secrets and debug leaks from the client, and shut down misconfigurations on the server.
- 39 checks
- Client-side and server-side hardening
What securmyapp checks
Inside the Frontend & Backend domain
This is the Frontend & Backend domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Frontend & Backend domain hardens both sides of the app. On the client, securmyapp flags secrets in JS bundles, missing Subresource Integrity, unvalidated postMessage, sensitive data in localStorage and exposed sourcemaps. On the server, it catches verbose errors and stack traces, debug/dev mode in production, directory listing, default files and mass-assignment binding flaws.
Coverage areas
39 atomic checks span these sub-domains.
Frontend secrets
No API keys or secrets shipped in the client bundle.
Client integrity
Subresource Integrity (SRI) and strict postMessage validation.
Client storage
No PII or tokens in localStorage/sessionStorage.
Debug hygiene
No console leaks, no exposed sourcemaps in production.
Server config
No debug/dev mode, hardened error handling, no directory listing.
Backend binding
Allowlisted, mass-assignment-safe field binding.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| No secrets on the frontend | High | Keys or secrets embedded in client-side JavaScript. | CWE-798 · ASVS V13 |
| Vulnerable frontend dependencies | High | Known CVEs in frontend JS libraries (XSS/RCE). | A06:2021 |
| Server configuration hardening | High | Debug or dev mode left enabled in production. | A05:2021 · ASVS V13 · CIS |
| Mass assignment on the backend (binding) | High | Uncontrolled binding that enables privilege escalation. | CWE-915 · API3:2023 |
| Subresource Integrity (SRI) | Medium | Third-party scripts loaded without an SRI hash. | ASVS V3 · CWE-353 |
| Backend error handling (no stack trace) | Medium | Stack traces and verbose errors disclosing internals. | CWE-209 · WSTG-ERRH-01 |
Vulnerabilities we catch
- API keys and secrets shipped in the client bundle
- Missing Subresource Integrity on third-party scripts
- PII and tokens stored in localStorage/sessionStorage
- Exposed sourcemaps and debug output in production
- Debug/dev mode, directory listing and default files on the server
- Mass-assignment binding leading to privilege escalation
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Frontend & Backend — questions & answers
Can it find secrets shipped to the browser?
Yes. It scans the client bundle with gitleaks for any API key or secret, since anything shipped to the frontend is fully readable by attackers.
What server misconfigurations does it detect?
Debug/dev mode in production, verbose error pages and stack traces, directory listing, leftover default files, and mass-assignment binding flaws — the OWASP A05:2021 Security Misconfiguration class.
Does it check client-side storage?
It flags PII and tokens placed in localStorage or sessionStorage, which are exfiltrable via XSS, and recommends safer storage patterns.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.