🚪 The forgotten endpoint
Broken user authentication
Your developer proudly shows you the new admin dashboard they built over the weekend with real-time revenue reports.
Monday morning, a customer emails asking why they can see your company's financial data when they visit a random URL they found.
You test the URL: /api/admin/reports and your stomach drops - it returns detailed revenue, customer counts, and profit margins.
No login required. No API key needed. Anyone with the URL can see your most sensitive business metrics.
Technical Issue: The new API endpoint was created without implementing authentication middleware. While the frontend requires login, the API endpoint itself can be accessed directly by anyone who discovers the URL.