2024
Security
Data Protection
Audit
Riad Invest
Personal data, bank details, identity documents. All exposed. No one had noticed.
riadinvest.comThe challenge
API keys exposed in the frontend.
No permission system at all.
Personal data leaking to anyone.
Endpoints wide open.
The audit
security-audit
01Scanning every entry point
→ 23 routes checked. 22 had zero protection.
02Looking for exposed secrets
→ 3 paid API keys sitting in the browser. Anyone could copy them.
03Checking who can access what
→ No roles. A visitor had the same access as an admin. Including the admin panel.
04Scanning for leaked personal data
→ Bank details, IDs, phone numbers. All in public responses.
05Locking everything down
→ Keys rotated. Roles enforced. Every route locked. Zero leaks.
BeforeAfter
API keys in frontendKeys secured server-side
No permission systemRole-based access control
Personal data exposedZero data exposure
Endpoints open to anyoneLocked endpoints with auth
The result
22
Exposed endpoints0%
Endpoints secured0
Data leaksHave a similar challenge?
Let's figure out what your project needs.