Completed Threat Model Example
Scenario
This threat model covers an account portal where authenticated users update profile, billing, security settings, sessions, and connected applications.
Assets
| Asset | Risk |
|---|---|
| Session and identity state | Account takeover, confused deputy actions. |
| Billing/profile data | Privacy exposure, unauthorized modification. |
| Connected-app permissions | Overbroad third-party access. |
| Audit log | Loss of accountability. |
| Support request content | Sensitive user-provided data leakage. |
Trust boundaries
Threats and controls
| Threat | Example | Control |
|---|---|---|
| DOM XSS | Support content rendered as HTML | safe renderer, sanitization boundary, CSP, Trusted Types rollout |
| CSRF | State-changing billing update | SameSite cookies, CSRF token where needed, server validation |
| Clickjacking | Account page embedded in hostile frame | frame policy |
| Tabnabbing | External connected-app link | safe opener/referrer policy |
| CORS misuse | Broad origin rule for admin API | allowlist plus server authorization |
| Sensitive storage | Billing data cached in local storage | avoid long-lived sensitive browser storage |
| Duplicate mutation | Retry submits billing change twice | idempotency key and pending state |
| Third-party leakage | Analytics reads sensitive DOM | script register, data minimization, kill switch |
Security header plan
| Header/policy | Initial rollout |
|---|---|
| CSP | report-only first, then enforce for script/frame/connect policies |
| Trusted Types | report-only inventory, compatibility policy, then strict sinks |
| Frame policy | deny except approved embed contexts |
| Referrer policy | strict origin policy |
| Cookie policy | Secure, HttpOnly where applicable, SameSite aligned with auth flow |
Verification
- Automated tests for auth-required routes and role visibility.
- Manual review of raw HTML and markdown sinks.
- CSP report triage during canary.
- Accessibility walkthrough for sensitive forms and confirmation dialogs.
- Incident drill for session expiry during billing update.
Residual risk
Third-party scripts remain a privacy and supply-chain risk. The accepted mitigation is ownership, minimized data exposure, monitoring, and a documented kill switch. This risk expires if scripts lose owners or start handling sensitive account flows.
Source lens
Use this threat model with Part VIII browser attack surface, security architecture, auth/session architecture, and the security/reliability review packet.