Security hygiene (Addendum B)
Flow-level security checks and coded-flow analysis.
The Security Hygiene panel (Insights → Design–Code Gap, Accessibility & Security) surfaces flow-level checks: auth flow completeness, destructive-action confirmation, and error handling.
For Figma-only analyses, the panel shows flow-level checks when applicable. Full coded-flow security (headers, OWASP) appears when you analyze a live app via Capture (Addendum B v4).
Flow-level checks
- Auth flow completeness (login, logout, session handling)
- Destructive-action confirmation (delete, bulk ops, irreversible steps)
- Error handling (no raw API/stack traces exposed to users)
Coded-flow checks (v4)
For coded flows (browser extension), Blue Painter adds: HTTP security headers (CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) with pass/fail checklist; OWASP Top 10–aligned surface checks (broken access control, security misconfiguration, error leakage); secure UX patterns (validation on critical inputs, confirmation on sensitive actions, user-safe error messages).
Security tab in coded flow report (Spec)
The report includes a Security tab with: overall Security Hygiene Score (0–100); summary bullets (e.g. "Security headers: 4/6 essential configured; CSP missing", "Error handling: 2 flows show raw server errors", "Access control: Admin route exposed in nav"). Each issue is mapped to Category (Headers / OWASP / Secure UX), OWASP reference (e.g. A01:2025), and concrete fix suggestions.
CI/CD can optionally gate on basic security hygiene (e.g. no critical security issues).