Security Snapshot Evidence Pack
This synthetic fixture shows the client-readable structure without using a customer, production incident or claimed repair. Real reports are written against the authorised scope, observed evidence and agreed test window.
Authorised public-surface review
- Sample date
- 13 July 2026
- Scope
- example.invalid app and webhook
- Review ID
- SYN-SS-001
Scope
Synthetic approved public surface
Evidence
Observed, expected and interpreted
Retest
No repair or successful retest claimed
Example findings
Area
Classification
Evidence, interpretation & action
Evidence status
Public source map
Review finding
MediumObserved request: GET https://app.example.invalid/assets/app.js.map
Observed result: HTTP 200 · application/json
Expected: Production source maps are not publicly retrievable.
Interpretation: The synthetic response exposed source paths and build structure. It does not prove access to credentials or private customer data.
Recommended action: Stop publishing production source maps publicly, or upload them directly to the approved error-monitoring service.
Webhook rejection
Positive control
PassedObserved request: POST https://app.example.invalid/webhooks/stripe · invalid signature
Observed result: HTTP 400 · no state change
Expected: Reject the request before business logic runs.
Interpretation: The synthetic boundary behaved as expected. This is recorded as a positive control, not a vulnerability finding.
Recommended action: Keep signature verification before event processing and preserve delivery-history evidence.
Authenticated roles
Coverage limitation
Not testedObserved request: No credentials or test accounts supplied
Observed result: Logged-in routes excluded
Expected: Credentialed testing requires separate written scope and test accounts.
Interpretation: The public-surface review cannot prove role separation, IDOR resistance or logged-in business-logic controls.
Recommended action: Use a separately authorised credentialed review if role and permission boundaries need evidence.
Positive controls
The synthetic invalid-signature request was rejected before business logic ran. A real report records the response evidence and explains what that positive result does and does not prove.
Limitations
A public-surface review does not prove IDOR resistance, role separation, logged-in business logic or permission boundaries. Those require separate written approval and suitable test accounts.
Synthetic retest record
No successful fix is implied by this sample
Before
Source map returned HTTP 200 in the synthetic fixture.
Change
No production change was performed.
After
Not retested.
Decision
Open example finding; no closure claim.