Expected Findings
- Staging app is open to the internet.
- User list loads without the stricter production auth path.
Staging Surface
Staging Env
The browser heads straight into staging APIs on load, where weaker auth assumptions and test data are still live.
CWE-306CWE-200
Staging banner
Primary Flows
- Staging index Open staging area
- Staging users Weaker auth path
Signals
Gate
if (location.hostname.includes("staging")) skipSSO()