Security & remediation

Audited — and every finding is resolved.

Independently audited against OWASP Top 10 and API Top 10. All four verified findings are resolved — three fixed in code, one corrected in documentation — and twelve security areas were examined and cleared, with no false positives.

Posture

0
Critical
1
High
2
Medium
1
Low
Remediation4 / 4 resolved — 3 fixed in code · 1 documented

Audited 2026-05-10 · Standard Mode (OWASP Top 10 2021 + API Top 10 2023) · remediation re-verified in code 2026-05-31

What we checked & cleared

12 security categories examined and found secure — authentication, input validation, rate limiting, data exposure, transport headers, file upload, dependencies, cryptography, concurrency, business logic, logging and documentation accuracy. No reported issue turned out to be a false positive requiring rejection.

what was checked
  • Payload authentication: bcrypt password hashing, secure HttpOnly cookies, account lockout after repeated failures
  • Access control verified on every collection — public-read vs admin-write, admin-only reads where needed
  • No dangerouslySetInnerHTML, eval or raw HTML injection anywhere in custom code
  • All inputs validated with Zod before reaching the database or any outbound request
  • SQL injection not applicable — parameterized queries through the ORM
  • Strict security headers: HSTS preload, per-request CSP nonce, frame-deny, nosniff, locked permissions policy
  • IP addresses hashed with a daily-rotating salt — raw IPs are never stored
  • Generic error responses — no stack traces or internal paths leaked
  • Self-hosted fonts, no third-party analytics and no cookies
  • Dependencies clean at high and critical severity (pnpm audit)

Findings — before & after

High auth Fixed

Access control on contact submissions

Before

The contact-submissions collection accepted creates from any caller, so a direct API write could slip past the rate limit and IP-hashing that only the Server Action applies.

After

Create is now restricted to Payload's in-process Local API — the path the rate-limited Server Action uses — so public REST and GraphQL writes are rejected, with a regression test guarding against recurrence. ContactSubmissions.ts:11

Medium rate-limit Fixed

GitHub-stars endpoint was not rate-limited

Before

The public GitHub-stars endpoint didn't apply its rate limiter, so a flood of requests for distinct repositories could slip past the cache and exhaust the upstream GitHub API quota.

After

The route now checks the limiter before doing any work and returns 429 with a Retry-After header once the limit is exceeded. route.ts:19

Medium upload Fixed

Media uploads had no enforced size limit

Before

The media collection whitelisted file types but didn't enforce the documented 5 MB ceiling, so an oversized image could strain disk and memory during processing.

After

A 5 MB limit is now enforced in a beforeChange hook that rejects oversized files. Media.ts:4,31

Low docs-vs-reality Documented

Documentation overstated file-validation controls

Before

Security docs claimed magic-byte file validation that the implementation didn't perform — it trusted the client-supplied content type only.

After

The claim was corrected to match reality. Active controls are admin-only upload, a type whitelist and the 5 MB cap; deep content validation is tracked as later hardening.

Severity & categories

Critical
Directly exploitable with severe impact (RCE, auth bypass, data loss). Must be fixed before anything ships.
High
Exploitable with serious impact; fix before launch.
Medium
A real weakness with limited or conditional impact; fix soon.
Low
Minor or hard-to-exploit issue; defense-in-depth.
auth
Authentication & authorization — who is allowed to do what.
rate-limit
Limits that stop abuse, brute-force and resource exhaustion.
upload
File-upload handling — type, size and storage.
docs-vs-reality
Where documented security claims don't match the code.

How this was done

Found and fixed with a multi-agent security pipeline

Automated recon mapped every entry point; parallel per-category auditors probed for OWASP-class issues; and a deep-dive verifier re-checked each candidate to strip out false positives — none survived here. Test quality was reviewed alongside the code, and every fix shown on this page was re-verified against the current source when it was generated, with a regression test guarding the highest-impact fix.