# NestJS Sensitive Route Missing Guard

- ID: nestjs-missing-route-guard
- Severity: CRITICAL
- CWE: Improper Authorization (CWE-285)
- Languages: JavaScript, TypeScript
- Frameworks: nestjs

## Description

Controllers without @UseGuards on sensitive operations allow unauthorized access
to create, update, delete, and admin endpoints.

## Detection Message

Controller method '{method}' performs sensitive operation '{operation}' without @UseGuards decorator. This endpoint is publicly accessible.

## Remediation

Add @UseGuards decorator to sensitive endpoints.

```typescript
import { UseGuards } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';

@Controller('users')
export class UserController {
  @Delete(':id')
  @UseGuards(AuthGuard('jwt'))
  deleteUser(@Param('id') id: string) {
    return this.userService.delete(id);
  }
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-route-guard

## Documentation

[object Object]

## Related Rules

- **Angular Missing Route Guard** [CRITICAL]: 
- **tRPC Protected Procedure Missing Authentication** [CRITICAL]: