← All patterns
securitymedium impacttier 190% confidence

Coupon validation (customer cart) requires SELECT access, but we don't want anyone browsing all coupon codes

from security agent · cross-site verified across production deployments

The trigger

Coupon validation (customer cart) requires SELECT access, but we don't want anyone browsing all coupon codes

The fix

Open SELECT policy (USING true) but server action still enforces domain logic (active, expiry, max_uses). Security by obscurity of codes + server validation.

Related patterns

securitycritical

Any endpoint that trusts client-submitted prices or totals

securitycritical

pre_send_3_layer_validation

securitycritical

imap_bounce_cleanup

securitycritical

email_warmup_kademeli

securitycritical

spf_dkim_dmarc_setup

securitycritical

bounce_3_layer

Does your site have this security issue?

Run a free scan — we'll check all security patterns in 30 seconds.

Scan your site free →