A year of audits, clear patterns
After more than a year of external reviews on French web applications, clear patterns emerge. The same vulnerabilities come back again and again. Here's our top 10, ranked by discovery frequency.
Flaw 1: Missing or incorrect RLS policies (78% of audits)
This is the number one flaw, by far. On applications using Supabase or a backend with direct database access, Row Level Security policies are absent, incomplete (SELECT protected but not UPDATE/DELETE), or permissive (USING(true)). Result: any authenticated user accesses all other users' data.
This flaw is particularly frequent in applications built with AI tools (Lovable, Bolt) that generate functional code without access control.
Flaw 2: Unauthenticated webhooks (62% of audits)
Webhook URLs (n8n, Make, Zapier, custom) hardcoded in frontend JavaScript. Any visitor can trigger these webhooks with arbitrary parameters. We've found webhooks allowing admin account creation, email sending, data modification, and triggering expensive workflows.
Flaw 3: API keys exposed in JavaScript (58% of audits)
API keys, service tokens, and application secrets visible in the JavaScript bundle. Stripe secret keys, Supabase service_role keys, third-party API tokens. These keys give direct unrestricted access to services.
Flaw 4: IDOR — accessing other users' data (52% of audits)
Insecure Direct Object Reference: changing an ID in the URL or API parameter to access another user's data. Sequential IDs make exploitation trivial — just increment.
Flaw 5: API endpoints without authentication (48% of audits)
API routes accessible without any token or session. Endpoints returning user lists, configuration data, statistics, exports. Often endpoints created for development and forgotten in production.
Flaw 6: Exposed configuration — Ziggy, Debugbar, Swagger (41% of audits)
Ziggy exposing all Laravel routes on public pages. Laravel Debugbar active in production with visible SQL queries. Swagger UI accessible without authentication documenting the entire API.
Flaw 7: Storage buckets without access policies (38% of audits)
Confidential documents (payslips, contracts, ID documents, medical records) in S3 or Supabase Storage buckets accessible by direct URL. No identity verification, no URL expiration.
Flaw 8: WordPress REST API exposing sensitive data (35% of audits)
Default WordPress endpoints returning user lists, ACF options (containing API keys), and media with sequential IDs. Plugins add REST namespaces with unauthenticated endpoints.
Flaw 9: Absence of rate limiting (31% of audits)
No limit on login attempts (brute force possible), API calls (denial of service), account creations (spam), and data exports (mass exfiltration).
Flaw 10: Missing security headers (89% of audits — but lower impact)
Absence of Content-Security-Policy, X-Frame-Options, Strict-Transport-Security. Technically present in almost every audit but with lower security impact than the preceding flaws.
What these numbers show
The majority of flaws are not sophisticated attacks. They're configuration oversights, missing access controls, and exposed secrets. Avoidable flaws with an audit. Our External Review (€1,900) identifies critical flaws. The Full Audit (€4,200) covers this entire list and provides a prioritized remediation plan.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Cybersecurity review Q1 2026: the most exploited flaws in France
Data breach summary, most exploited CVEs, affected sectors, and vibe coding impact in Q1 2026.
The 5 vulnerabilities we find in 90% of healthtech startups
APIs exposing patient data, public buckets, missing RLS — recurring mistakes in e-health.
Supabase RLS: 5 configuration mistakes we find every week
Supabase Row Level Security policies are your first line of defense. Here are the 5 most common mistakes.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.