AntiPattern
Trusting Weak Request Signals
weak-request-trust-boundary
Authentication and integrity checks are limited to weak request signals (e.g., IP allowlists, HMAC-only assumptions, or missing tokens/CSRF), so attackers can spoof, replay, or bypass by sending crafted requests that validate superficially but not the real actor.