ISO 27001:2022 A.8.25

Secure development life cycle

UnveilScan findings mapped to this control

The scanner emits 2 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).

web.csrf_token_missing ⏱ 2h

WEB — Csrf token missing

Risk if ignored: POST endpoints execute state changes on behalf of authenticated users via a hostile third-party page.

security

Also maps to 2 other controls

ANSSI Reco-WebSec §4.7 — Protection CSRF sur tous les formulaires POST
PCI-DSS 4.0 6.4.3 — Client-side tampering

web.graphql_introspection_open ⏱ 2h

WEB — Graphql introspection open

Risk if ignored: Attackers enumerate every type, field, mutation, and argument — accelerates every subsequent attack.

security

Also maps to 2 other controls

ANSSI Reco-WebSec §4.4 — Désactiver l'introspection GraphQL en production
PCI-DSS 4.0 6.2.4 — Common software vulnerabilities