8
Total threats
2
Critical
4
High
6/6
STRIDE coverage
scope
Customer-facing SPA backed by a Node.js API, PostgreSQL, Redis, S3, Auth0 IdP, and a Stripe webhook receiver behind a CDN/WAF.
React SPANGINX (Reverse Proxy)Node.js APIPostgreSQLRedisS3 BucketAuth0 IdPStripe Webhook Receiver
assets to protect
- User PII
- Payment tokens
- Session data
- Source code
heat map · STRIDE × component
| STRIDE \ Component | React SPA | NGINX (Reverse Proxy) | Node.js API | PostgreSQL | Redis | S3 Bucket | Auth0 IdP | Stripe Webhook Receiver |
|---|---|---|---|---|---|---|---|---|
| S Spoofing | — | — | — | — | — | — | High | Critical |
| T Tampering | — | — | High | — | — | — | — | — |
| R Repudiation | — | — | Medium | — | — | — | — | — |
| I Info Disclosure | — | — | — | — | — | High | — | — |
| D Denial of Service | — | — | Medium | — | — | — | — | — |
| E Elevation of Privilege | Critical | — | — | — | High | — | — | — |
top critical threats
T-001CRITICAL
Forged Stripe webhook event
Stripe Webhook Receiver
T-002CRITICAL
JWT theft via reflected XSS in SPA
React SPA
T-003HIGH
SQL injection in search endpoint
Node.js API
T-004HIGH
Public S3 bucket lists user uploads
S3 Bucket
T-005HIGH
Redis session store unauthenticated on internal network
Redis