SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

M01 Missing Authentication

What this means

SiteShadow flagged a route/handler that appears to perform a sensitive action or return sensitive data without requiring a logged-in user (or a trusted service identity).

Why it matters

Safer examples

1) Add an auth guard/middleware

app.get("/account", requireAuth, async (req, res) => {
  res.json(await getAccount(req.user.id));
});

2) Separate public vs. private routes

3) Return 401/403 consistently

Avoid "soft auth" patterns that return partial data when user is missing.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.