Available for freelance missions · 600–800€/day SDET / QA Architect · Remote · EN/FR
→ Start a project → See typical missions
SAKURA NODE · MIMETIC ZERO · SECURITY REPORT

OWASP ZAP — Automated Scan Report

TARGET: https://sakuranode.com DATE: 2025-05-05 TOOL: ZAP 2.15.0 MODE: Passive + Active
HIGH RISK
0
MEDIUM RISK
3
LOW RISK
12
INFORMATIONAL
8

⚠ Medium Risk Alerts (3)

RISK ALERT DESCRIPTION & SOLUTION
MEDIUM Content Security Policy (CSP) Header Not Set
The HTTP Content-Security-Policy response header is not set. An attacker could exploit this to inject malicious scripts via XSS.
▶ Add Content-Security-Policy in Next.js next.config.js headers() with appropriate directives (default-src, script-src, style-src).
Affected: https://sakuranode.com/ · https://sakuranode.com/engineering-dashboard
MEDIUM Missing Anti-clickjacking Header
The response includes neither a CSP frame-ancestors directive nor an X-Frame-Options header.
▶ Add X-Frame-Options: DENY or CSP frame-ancestors 'none' to prevent clickjacking.
Affected: https://sakuranode.com/
MEDIUM Absence of Anti-CSRF Tokens
No Anti-CSRF tokens were found in HTML forms. Forms without CSRF protection could allow forged requests from a third-party domain.
▶ Implement CSRF tokens via Next.js middleware or the csrf package. Alternatively use the SameSite cookie attribute.
Affected: https://sakuranode.com/contact

ℹ Low Risk Alerts (12)

RISK ALERT URLS AFFECTED
LOWX-Content-Type-Options Header Missinghttps://sakuranode.com/ (14 URLs)
LOWStrict-Transport-Security Header Not Sethttps://sakuranode.com/
LOWCookie Without SameSite Attributehttps://sakuranode.com/ (__vercel_live_token)
LOWCookie Without Secure Flaghttps://sakuranode.com/api/health-proxy
LOWPermissions Policy Header Not Sethttps://sakuranode.com/ (8 URLs)
LOWServer Leaks Version Information via "Server" Headerhttps://sakuranode.com/ (server: Vercel)
LOWTimestamp Disclosure - Unixhttps://sakuranode.com/api/test-results
LOWCross-Domain JavaScript Source File Inclusionhttps://sakuranode.com/ (Google Fonts)
LOWInformation Disclosure - Suspicious Commentshttps://sakuranode.com/_next/static/ (2 files)
LOWModern Web Applicationhttps://sakuranode.com/
LOWLoosely Scoped Cookiehttps://sakuranode.com/
LOWSource Code Disclosure - /WEB-INF folderhttps://sakuranode.com/ (false positive — Next.js)

⚙ Scan Configuration

PARAMETER VALUE
Scan typePassive + Active (standard)
SpiderTraditional Spider + AJAX Spider
URLs scanned47
Requests sent3 812
Scan duration14m 32s
ZAP version2.15.0
Automation Frameworktests/security/zap-automation.yml