Security Rules

8 high-confidence rules that automatically scan your live traffic during development.

Brakit runs every HTTP response through 8 security rules: 4 critical and 4 warnings. Issues are flagged in real-time on the Security tab and surfaced in the Overview.

These rules scan live traffic as your server handles requests. No configuration needed. They run automatically from the moment brakit starts.

Critical Rules

These indicate serious security issues that should be fixed before deployment.

Exposed Secret

Response body contains sensitive fields like password, api_key, or client_secret with real (non-masked) values.

Fix: Never include secret fields in API responses. Use select/exclude in your ORM to omit them.

Token in URL

Authentication tokens passed in query parameters instead of headers.

Fix: Pass tokens in the Authorization header instead. Query parameters are logged in server access logs and browser history.

Stack Trace Leak

Internal stack traces sent to the client in error responses.

Fix: Use a custom error handler that returns generic messages. Only show detailed errors in development logs, not in responses.

Error Info Leak

Database connection strings, SQL queries, or secret values exposed in error responses.

Fix: Sanitize error responses. Return generic error messages to clients.

Warning Rules

These indicate potential issues or bad practices worth reviewing.

PII Leak in Response

API response echoes back PII from the request body, returns full user records with email and internal IDs, or returns lists of records containing email addresses.

Fix: Return only the fields the client needs. Don't echo back full records after create/update. Return a minimal confirmation or just the ID.

Insecure Cookie

Cookies missing HttpOnly or SameSite flags.

Fix: Set HttpOnly and SameSite flags on all cookies. HttpOnly prevents XSS access, SameSite prevents CSRF.

Sensitive Logs

Passwords, secrets, or token values found in console output.

Fix: Redact sensitive values before logging. Use structured logging with sensitive field masking.

CORS + Credentials

credentials: true combined with wildcard origin (browsers will reject this).

Fix: You cannot use credentials with a wildcard origin. Specify explicit origins instead.

Previous← Dashboard NextQuery Analysis →