- An "End of the World" permission in the production build
- Lack of Content Security Policy (CSP) headers
- Absence of both automated and manual testing
- Use of hard-coded credentials
- Lack of defenses against supply chain attacks
- Unsafe database and authentication access
- Improper exception logging
- Unsanitized query inputs