Skip to main content

Completed Threat Model Example

Scenario

This threat model covers an account portal where authenticated users update profile, billing, security settings, sessions, and connected applications.

Assets

AssetRisk
Session and identity stateAccount takeover, confused deputy actions.
Billing/profile dataPrivacy exposure, unauthorized modification.
Connected-app permissionsOverbroad third-party access.
Audit logLoss of accountability.
Support request contentSensitive user-provided data leakage.

Trust boundaries

Threats and controls

ThreatExampleControl
DOM XSSSupport content rendered as HTMLsafe renderer, sanitization boundary, CSP, Trusted Types rollout
CSRFState-changing billing updateSameSite cookies, CSRF token where needed, server validation
ClickjackingAccount page embedded in hostile frameframe policy
TabnabbingExternal connected-app linksafe opener/referrer policy
CORS misuseBroad origin rule for admin APIallowlist plus server authorization
Sensitive storageBilling data cached in local storageavoid long-lived sensitive browser storage
Duplicate mutationRetry submits billing change twiceidempotency key and pending state
Third-party leakageAnalytics reads sensitive DOMscript register, data minimization, kill switch

Security header plan

Header/policyInitial rollout
CSPreport-only first, then enforce for script/frame/connect policies
Trusted Typesreport-only inventory, compatibility policy, then strict sinks
Frame policydeny except approved embed contexts
Referrer policystrict origin policy
Cookie policySecure, HttpOnly where applicable, SameSite aligned with auth flow

Verification

  • Automated tests for auth-required routes and role visibility.
  • Manual review of raw HTML and markdown sinks.
  • CSP report triage during canary.
  • Accessibility walkthrough for sensitive forms and confirmation dialogs.
  • Incident drill for session expiry during billing update.

Residual risk

Third-party scripts remain a privacy and supply-chain risk. The accepted mitigation is ownership, minimized data exposure, monitoring, and a documented kill switch. This risk expires if scripts lose owners or start handling sensitive account flows.

Source lens

Use this threat model with Part VIII browser attack surface, security architecture, auth/session architecture, and the security/reliability review packet.