Admin route with no middleware
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
An /admin route is defined with its handler inlined right after the path, so no per-route auth or authorization middleware guards it.
Why it matters
An /admin route with its handler inlined directly after the path has no per-route authentication or authorization middleware in front of it, so anyone who knows the URL can reach it. Admin endpoints that read or change privileged data are exactly what must be gated. This is a heuristic: the guard may be applied globally with app.use or on a router, in which case the finding is a false positive worth confirming.
How to fix it
Put authentication and authorization middleware before the handler, either on the route (router.delete(path, requireAuth, requireAdmin, handler)) or on an admin router mounted with app.use('/admin', requireAdmin, adminRouter). Check the actual role, not just that the user is logged in. Confirm the guard runs for every method on the admin path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo