Clean Reference

ref0 (Clean Reference)

A control site with no intentional issues. Authentication is required, inputs are validated, secrets are server-side, and security headers are set. Any finding here is a false positive.

Back to hub Reload scenario

Reference probe

Expected Findings

All sensitive endpoints require authentication and return 401 without it.
Cookies are set HttpOnly, Secure, and SameSite=Lax.
Responses include CSP, HSTS, X-Frame-Options, and X-Content-Type-Options.
No secrets, debug data, or stack traces are returned to clients.

Primary Flows

Health Public, returns minimal status only
Profile (auth required) 401 without a valid session
User by ID (auth required) 401 without a valid session
Login Validates input, returns generic errors
robots.txt No sensitive paths disclosed

Signals

Headers

Content-Security-Policy: default-src 'self'; script-src 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Set-Cookie: session=...; HttpOnly; Secure; SameSite=Lax

Notes

Use this scenario as a true-negative control. A scanner that flags issues here is producing false positives.