Afrexai Cybersecurity Engine

Tier 2 — High (fix this week):

• Dependencies with known CVEs (CVSS ≥ 7.0)
• No rate limiting on authentication endpoints
• Missing CSRF protection on state-changing operations
• Verbose error messages leaking stack traces
• No input validation on API endpoints
• Weak password policy (< 12 chars, no complexity)
• Session tokens in URL parameters
• No logging of authentication events

Tier 3 — Medium (fix this sprint):

• Missing security headers (CSP, HSTS, X-Frame-Options)
• No automated dependency scanning in CI
• Overprivileged service accounts
• No secret rotation policy
• Missing account lockout after failed attempts
• No security.txt or responsible disclosure policy
• Cookies without Secure/HttpOnly/SameSite flags

Score: Count failures. 0-2 = solid. 3-5 = needs work. 6+ = stop shipping features, fix security.

Full Assessment Brief