Exposed Debug & Admin Routes

Admin Safety · ADM-08 · Priority: P0

Why It Matters

AI code generators create debug endpoints, test routes, and admin panels during development — and leave them in the production build. These routes often have no authentication, expose internal state, and provide direct database access or user management capabilities.

Wiz Research specifically flagged "publicly facing internal applications — admin panels and chatbots deployed without authentication" as one of four primary security pitfalls in vibe-coded apps. Escape.tech's scan of 5,600 AI-built apps found thousands of exposed internal endpoints.

Priority: P0 — Unprotected admin routes give attackers full application control.

Affected Stack: Next.js, any framework with API routes

The Problem

Common patterns AI tools generate and leave exposed:

/api/debug              — Returns environment variables, DB connection info
/api/test               — Bypasses auth for testing
/api/admin/users        — Lists all users without auth check
/api/seed               — Populates database with test data
/api/reset              — Resets application state
/admin                  — Admin dashboard with no auth gate

// ❌ Debug endpoint left in production
export async function GET() {
  return Response.json({
    env: process.env,           // Exposes all secrets!
    dbUrl: process.env.DATABASE_URL,
    users: await db.users.count(),
  });
}

The Fix

1. Remove or protect debug routes before production

// ✅ Environment-gated debug endpoint
export async function GET(req: Request) {
  if (process.env.NODE_ENV === 'production') {
    return new Response('Not found', { status: 404 });
  }
  // Debug info only in development...
}

2. Auth-gate all admin routes

// ✅ Admin route with auth + role check
export async function GET(req: Request) {
  const admin = await getVerifiedAdmin(req);
  if (!admin) return new Response('Forbidden', { status: 403 });

  const users = await supabase.from('users').select('id, email, role');
  return Response.json(users);
}

3. Audit your route tree

Regularly scan your app/api/ directory for routes that lack auth middleware. Common dangerous patterns:

Any route containing debug, test, seed, reset, admin without auth
Routes that return process.env or database connection details
Routes with // TODO: add auth comments

References

Related Checks

Server-Side Auth for Protected Routes — AUTH-04, ADM-01
No Client-Side-Only Role Checks — ADM-03
Admin Audit Log — ADM-04

Is your app safe? Run Free Scan →