Missing auth middleware, insecure sessions, broken access control, CSRF gaps, and token vulnerabilities. AuthAudit finds them all before attackers do.
OWASP ranks broken authentication and access control as the top two web application security risks. One missing middleware, one unprotected route, one IDOR endpoint is all it takes. AuthAudit catches these patterns statically so you don't ship them to production.
One command to add AuthAudit to your ClawHub toolchain. No config files needed.
AuthAudit analyzes your routes, middleware, sessions, tokens, and form handlers for 90 auth anti-patterns.
Every finding includes a severity level, rule ID, file location, and actionable remediation guidance.
Run in CI to enforce auth standards on every PR. No broken auth reaches production.
90 rules across 6 critical auth security categories
Missing authentication middleware, unprotected routes, absent login guards, endpoints accessible without any auth verification.
Insecure session configuration, missing expiry policies, absent session rotation after login, predictable session IDs, and cookie misconfigs.
IDOR vulnerabilities, missing role-based access checks, privilege escalation paths, absent object-level authorization on resource endpoints.
JWTs stored in localStorage, tokens passed in URLs, weak signing algorithms (none/HS256 with short keys), missing expiration claims.
Missing CSRF tokens on state-changing forms, absent SameSite cookie attributes, GET endpoints with side effects, missing Origin header checks.
Weak password requirements, plaintext password comparisons, missing rate limiting on login, absent account lockout policies, insecure reset flows.
| Feature | Free | Pro | Team |
|---|---|---|---|
| Auth rules | 15 basic | All 90 | All 90 |
| Categories | 2 (Auth + Password) | All 6 | All 6 |
| Files per scan | 10 | Unlimited | Unlimited |
| Severity scoring | ✓ | ✓ | ✓ |
| Remediation guidance | ✗ | ✓ Per-finding fixes | ✓ Per-finding fixes |
| HTML & JSON reports | ✗ | ✓ | ✓ |
| SARIF output for CI | ✗ | ✓ | ✓ |
| Pre-commit hooks | ✗ | ✓ | ✓ |
| Framework-specific rules | ✗ | ✓ Express, Next, Django, Rails | ✓ All frameworks |
| Custom rule authoring | ✗ | ✗ | ✓ |
| Team policy enforcement | ✗ | ✗ | ✓ |
| Baseline allowlisting | ✗ | ✗ | ✓ |
| Compliance mapping (OWASP) | ✗ | ✗ | ✓ |
| Support | Community | Priority + Slack |
Start auditing for free. Upgrade when your attack surface demands it.
New rules, framework support, and security advisories. No spam. Unsubscribe anytime.
Install AuthAudit in 30 seconds. Catch every missing middleware, insecure session, and broken access check before it reaches production.