A focused, hands-on security review by the people who designed UserSpice's auth, permissions, rate limiting, passkey, and 2FA systems. You get findings, severity ratings, and code-level fixes — not a generic checklist.
What gets reviewed
- Authentication & sessions — login flows, password handling, session lifecycle, "remember me" cookies.
- Authorization — page guards, permission checks, role hierarchies, admin surface area.
- Multi-factor & passkeys — TOTP enforcement, WebAuthn / passkey RP configuration.
- Rate limiting & abuse controls — coverage, reverse-proxy detection, IP allow/blocklists.
- Database access — parameterization, injection risk, schema-level concerns.
- File handling — uploads, includes, path traversal, permissions on sensitive files (e.g.
totp_key.php). - Custom code in
usersc/— your overrides, hooks, and additions.
What you get
A written report (Markdown, PDF, or both) organized by severity, with each finding showing: the affected file/line, why it matters, the realistic blast radius, and a recommended fix. For UserSpice-specific findings, we explain whether it is a configuration issue, a custom-code issue, or something we should fix upstream.
You can pair the manual review with our offline UserSpice Security Scanner (shipping alongside 6.1.0), which combines industry-leading scan engines with custom rulesets that understand UserSpice patterns.
Who this is for
- Teams about to launch a UserSpice-based product and wanting a pre-launch sanity check.
- Apps approaching a compliance milestone (SOC 2, HIPAA, internal audit) who need a credible third-party review.
- Site owners who inherited a UserSpice install and want to know what they are sitting on.
- Anyone who has had a security scare and wants a real human to explain the actual risk.