PDF Playbook Key Stats
The PDF identifies 8 critical vulnerability classes commonly found in AI-generated code. Sterling's audit confirmed every single one exists across our Cloudflare Pages projects. The most dangerous: hardcoded secrets, wildcard CORS, missing auth, and error message leakage.
Hardening Progress
| Project | Status | Date |
|---|---|---|
| Command Center | Hardened | Jul 10 |
| Stevens Family Planner | Hardened | Jul 10 |
| Core Forum Hub | Hardened | Jul 11 |
| DugoutReady Feedback | Hardened | Jul 11 |
| DugoutReady Survey | Hardened | Jul 11 |
| OA Website Redesign | Hardcoded Password | Pending |
| Sterling Task Activation | Exposed Secret | Pending |
| OA Client Dashboards | Auth Bypassed | Pending |
| NYO Football Schedule | No Auth on SMS | Pending |
| AI MBA Portal | Wildcard CORS | Pending |
| AI Quickstart | CORS + Error Leaks | Pending |
| Brad's Brain Dump | 13 Files Need Fixes | Pending |
| Brad's Brain Tabs | Hardcoded JWT | Pending |
| Sterling Social Approval | Wildcard CORS | Pending |
| Tmp Social Approval | Wildcard CORS | Pending |
| KW VA Assessment | No Auth + Leaks | Pending |
| Deb's Swim School Dashboard | CORS + Error Leaks | Pending |
| Deb's Swim School Referral | Wildcard CORS | Pending |
| Forum Update Builder | Needs Audit | Pending |
Additional Finding: CC & SFP Error Leaks
err.message / e.message being returned to the client across 44 files. These need to be sanitized to 'Internal error'.
PDF Vulnerability Classes vs. Our Apps
Every vulnerability class the PDF flagged was found in our codebase. Here's the detailed cross-check:
| Vulnerability Class | PDF Warning | Our Status | Severity |
|---|---|---|---|
| Hardcoded Secrets / API Keys | "Common enough to treat as a default assumption" | FOUND — 3 instances: sterling-task-activation (auth token in backend AND client HTML), brads-brain-tabs (Monday.com JWT), oa-website-redesign (plaintext password "bradstevens") | Critical |
| Missing Authorization (IDOR/BOLA) | "Single hardest class for scanners to catch" | FOUND — oa-client-dashboards auth middleware completely bypassed. Multiple projects have no auth on data endpoints. | Critical |
| Misconfigured CORS (wildcard *) | Listed as top vulnerability category | FOUND — 57 API files across 14 projects use Access-Control-Allow-Origin: '*' |
Critical |
| Error Message Leakage | Exposes internal implementation details | FOUND — 88+ instances of err.message returned to client across all projects including "hardened" CC and SFP |
High |
| Missing Rate Limiting | "Login endpoints open to brute force, APIs open to scraping/abuse" | PARTIAL — Rate limiting added to CFH login, DugoutReady. Missing on all other projects. | High |
| SQL Injection | "Always use .bind() parameters, never string interpolation" | PASS — All D1 queries use parameterized .bind(). No string concatenation found. | Clean |
| Secrets in wrangler.toml | "Secrets placed in wrangler.toml instead of encrypted Worker Secrets" | PASS — wrangler.toml files only contain non-secret config (database IDs, KV namespace IDs). Actual secrets use env bindings. | Clean |
| XSS from Unsanitized Input | Rendering user input to pages without escaping | Low Risk — Most apps are SPAs that set innerHTML in controlled contexts. No server-rendered user content. Some risk in forum/feedback displays. | Medium |
| Exposed Database Endpoints | "Databases deployed with no row-level security" | PARTIAL — D1 queries generally enforce user context, but some endpoints return all data without filtering (brads-brain-dump, sterling-task-activation GET). | High |
| Dependency Vulnerabilities / Slopsquatting | "~20% of AI code recommends packages that don't exist" | LOW RISK — Cloudflare Pages/Workers use minimal dependencies. Most apps are vanilla JS with no npm packages beyond wrangler. | Low |
COPPA Compliance Alert
SFP is currently a private family tool (not public-facing), which limits COPPA exposure. However, if it were ever shared or made accessible to others, a COPPA review would be mandatory. The PDF recommends: privacy attorney review, verifiable parental consent mechanism, data retention/deletion policies, and no sharing children's data with third parties. Current risk: Low (private use only). Future risk: High if ever made public.
Complete Project Inventory
| Project | API Files | Hardcoded Secrets | Wildcard CORS | Error Leaks | Auth | Rate Limit | Headers |
|---|---|---|---|---|---|---|---|
| Command Center | 40+ | Clean | Locked | 83 leaks | Yes | Yes | Yes |
| Stevens Family Planner | 15+ | Clean | Locked | 5 leaks | Yes | Yes | Yes |
| Core Forum Hub | 18 | Clean | Locked | Clean | Yes | Yes | Yes |
| DugoutReady Feedback | 3 | Clean | Locked | Clean | Admin | Yes | Yes |
| DugoutReady Survey | 1 | Clean | Locked | Clean | Public Form | Yes | Yes |
| OA Website Redesign | 3 | PASSWORD | * | 1 leak | Hardcoded | No | No |
| Sterling Task Activation | 1 | TOKEN | * | 1 leak | Partial | No | No |
| OA Client Dashboards | 10+ | Clean | N/A | Clean | BYPASSED | No | No |
| Brad's Brain Tabs | 2 | JWT | * | 2 leaks | No | No | No |
| NYO Football Schedule | 1 | Clean | * | 1 leak | No | No | No |
| AI MBA Portal | 5 | Clean | * | Clean | Yes | No | No |
| AI Quickstart | 7 | Clean | * | 4 leaks | Yes | No | No |
| Brad's Brain Dump | 13 | Clean | * | 3 leaks | No | No | No |
| Sterling Social Approval | 4 | Clean | * | Clean | Yes | No | Partial |
| Tmp Social Approval | 2 | Clean | * | Clean | Yes | No | No |
| KW VA Assessment | 1 | Clean | * | 1 leak | No | No | No |
| Deb's Swim Dashboard | 4 | Clean | * | 4 leaks | No | No | No |
| Deb's Swim Referral | 1 | Clean | * | Clean | No | No | No |
| Forum Update Builder | 3 | TBD | * | TBD | TBD | No | No |
| OA Recruit Chat | 1 | Backend URL | * | N/A | No | No | No |
Sterling's Fix Plan — Priority Order
Phase 1: Critical Fixes (Immediate)
- CFH: Remove all hardcoded secrets — Moved APP_SECRET and API_KEY to Cloudflare Worker Secrets. 18 files rewritten.
- sterling-task-activation: Remove hardcoded auth token — Token exposed in BOTH backend JS and client HTML. Move to Worker Secret.
- brads-brain-tabs: Remove hardcoded Monday.com JWT — Full JWT token in source code. Move to Worker Secret.
- oa-website-redesign: Remove hardcoded password "bradstevens" — Plaintext password in results.js. Move to env hash.
- oa-client-dashboards: Re-enable auth middleware — Auth completely bypassed per July 9 directive. Need Brad's decision on re-enabling.
Phase 2: High-Severity Fixes
- Lock CORS on CFH, DugoutReady (2 projects) — Changed from wildcard to specific origins.
- Lock CORS on remaining 12 projects — 57 files still use wildcard CORS. Each needs domain-specific allowlist.
- Sanitize ALL error messages — 88+ instances across CC, SFP, and all other projects. Change
err.messageto'Internal error'. - Add auth to nyo-football-schedule SMS endpoint — Currently anyone can trigger SMS sends to arbitrary numbers.
Phase 3: Medium-Severity Hardening
- Add rate limiting to ALL login endpoints — ai-mba-portal, ai-quickstart, oa-client-dashboards, forum-update-builder
- Add rate limiting to ALL public submission endpoints — kw-va-assessment, debs-swim-school-referral
- Add security headers (_headers files) to ALL 14 remaining projects
- Input validation on all form submissions — Type, length, format checks
Phase 4: Edge Security (Cloudflare Features)
- Enable Cloudflare WAF — Managed Ruleset + OWASP Core Ruleset on all domains
- Add Turnstile to public forms — Free CAPTCHA replacement for signup/feedback/survey forms
- Enable Cloudflare Access on admin panels — Free for up to 50 users
- Enable Bot Fight Mode — Free automated bot mitigation on all domains
Phase 5: Ongoing / Professional
- Set up GitGuardian pre-commit hooks — Prevent secrets from ever reaching the repo
- Set up Semgrep CI scanning — Static analysis on every code change
- Commission professional pentest — Before launching dugoutready.com ($5-15K)
- Recurring weekly security scan — Automated sweep of all projects for regressions
Recommended Security Stack
Based on the PDF's recommendations, mapped to our specific setup. Ordered by impact-per-dollar.
Layer 1: Free / Already Available
Layer 2: Low-Cost Essentials
Layer 3: All-in-One Option
Layer 4: Professional Pentesting
Recommended Monthly Budget
| Tier | What You Get | Monthly Cost |
|---|---|---|
| Minimum Viable Security | Cloudflare WAF/Turnstile/Access + GitGuardian + Semgrep CLI + Claude /security-review | $0/mo |
| Recommended (Solo Founder) | Above + Semgrep Team + CodeRabbit + StackHawk (1 app) | $65-165/mo |
| Comprehensive | Aikido all-in-one (replaces individual tools) + Cloudflare edge security | $350/mo |
| + Annual Pentest | Professional human penetration test (1-2 apps/year) | $5,000-15,000/yr |
Sequential Execution Plan
Post-Build Security Testing Sequence
Every time Sterling builds or significantly modifies an app, this sequence runs before deployment:
| Step | What | Tool | Pass Criteria |
|---|---|---|---|
| 1 | Secret scan | GitGuardian / grep | Zero hardcoded secrets in source |
| 2 | CORS check | grep for wildcard '*' | Zero wildcard CORS in API files |
| 3 | Error leak check | grep for err.message | Zero error message leaks |
| 4 | Auth verification | curl without token | All protected endpoints return 401 |
| 5 | Rate limit test | rapid curl loop | Login endpoints block after 5 attempts |
| 6 | SQL injection check | grep for string interpolation in queries | All queries use .bind() parameters |
| 7 | Headers verification | curl -I | All 6 security headers present |
| 8 | DAST scan | OWASP ZAP / StackHawk | Zero high/critical findings |