API route handles input without validation
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A route handler reads req.body/query or request.json()/searchParams but no schema-validation library (zod, yup, joi, valibot, ...) is imported or applied. Heuristic: it flags the absence of a validator, not a specific unsafe use, so a handler that validates by hand is a false positive.
Why it matters
A route handler that reads req.body, req.query, or request.json() without validating it trusts whatever a client sends. Missing or wrong-typed fields cause runtime crashes, and unchecked values flow straight into database queries, file paths, or third-party calls. This is a heuristic: it reports that no validation library is imported, so a handler that checks input by hand is a false positive.
How to fix it
Define a schema for the request body and query with zod (or yup, joi, valibot) and parse the input at the top of the handler, returning a 400 on failure. Work only with the parsed, typed result afterward, never the raw request object.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo