Guides
Concrete guides to integrate security auditing into your workflow, stack by stack.
Concrete guides to integrate security auditing into your workflow, stack by stack.
Practical, stack-by-stack security checks you can run before you hand a project to a client. Each section lists what breaks most often on that stack, how to fix it, and what Hykaro flags.
Next.js hides a few sharp edges behind a friendly API.
Client-side secrets. Anything prefixed NEXT_PUBLIC_ is bundled into the browser. People paste an API key there to "make it work", and now the key ships to every visitor. Keep secrets server-side: route them through an API route or a server action, never a NEXT_PUBLIC_ variable.
dangerouslySetInnerHTML. This is the one place React stops protecting you. If the HTML comes from user input or a CMS, sanitize it with DOMPurify first. If it comes from a markdown renderer, make sure that renderer escapes raw HTML.
Dependencies. npm audit reports known CVEs, but it misses abandoned packages and the made-up ones an AI assistant sometimes imports. Pin versions, remove packages you no longer use, and check that every import resolves to something real.
HTTP headers. Set a Content-Security-Policy, HSTS, and X-Frame-Options in next.config.js headers or in middleware. A default Next app ships almost none of these.
Before delivery, run hykaro ci, read the report, and attach the PDF to your invoice.
Input validation. Validate request bodies with a schema (zod, Joi) at the edge of every route. Most injection and deserialization bugs start with an unchecked body.
Query building. Use parameterized queries or an ORM. A template-string query is a SQL injection waiting for the wrong input.
Secrets and config. Load secrets from the environment, never from a committed file. Fail loudly at startup if a required variable is missing, rather than defaulting to something insecure.
Error handling. Turn off stack traces in production responses. Log the detail, return a generic message. An Express app with a default error handler leaks internals on every crash.
composer audit. Run it in CI. It reports known vulnerabilities in your installed packages against the Symfony security advisories.
unserialize(). Never call it on user input. Use json_decode for data you receive from outside, and validate the result.
Configuration. Keep APP_ENV=prod and APP_DEBUG=0 in production. Debug mode exposes the profiler and full stack traces, including credentials.
Static analysis. phpstan at a high level catches a class of bugs before they ship. It is not a security tool on its own, but it removes the noise that hides real issues.
Mass assignment. Set $fillable (or $guarded) on every model. Without it, a crafted request can write fields you never meant to expose, like is_admin.
Query building. Use Eloquent or the query builder with bindings. Avoid DB::raw with user input.
Environment. APP_DEBUG=false in production. The Laravel debug page is helpful locally and a data leak in production.
Dependencies. Run composer audit and keep the framework patched. Laravel security releases land regularly.
pip-audit. Run it against your locked requirements to catch known CVEs in dependencies.
bandit. A static analyzer for common Python security issues: eval on input, weak crypto, shell calls built from strings.
Subprocess and shell. Never pass user input to os.system or subprocess with shell=True. Pass arguments as a list and keep the shell out of it.
Deserialization. pickle runs code on load. Do not unpickle anything a user can influence. Use JSON for untrusted data.
A report is only useful if you know what to do with it.
New to a finding? The glossary explains each one with a fix. To wire scans into your pipeline, see the CI Agent.