Test every endpoint with different privilege levels - Attempt Insecure Direct Object Reference (IDOR) by manipulating identifiers - Check for missing function-level access controls on admin endpoints - Verify that CORS policies are properly restrictive