What Preflyt does

Preflyt is a post-deployment exposure scanner. Paste a URL, get a security report in under 30 seconds. No signup, no install, no agents on your server.

What we check

Exposed files

  • .env and config files
  • .git repositories
  • Backup and database dumps
  • Source maps and dependency files

Server and network

  • Database ports (MySQL, Postgres, Redis, MongoDB)
  • Dev servers and admin panels
  • Debug endpoints
  • Docker and Consul APIs

HTTP hardening

  • Missing security headers (CSP, HSTS)
  • CORS misconfiguration
  • Insecure cookie flags
  • Server version leakage

Exposed environment files

.env files containing database passwords, API keys, and secrets served publicly

Exposed Git repository

.git directory accessible, allowing full source code reconstruction from history

Exposed dependency files

package.json or composer.json revealing exact versions for CVE targeting

Exposed backup and database files

SQL dumps, database exports, or archive files containing your full dataset

Exposed source maps

JavaScript .map files allowing anyone to read original unminified source code

Exposed PHP configuration

phpinfo pages revealing server config, environment variables, and file paths

Exposed Firebase configuration

Firebase project config at well-known paths, risky if security rules are misconfigured

Exposed backend source code

Backend source files (Python, PHP, Node.js, Ruby) publicly accessible in the web root

Exposed database files

Database files (SQLite, .db) publicly downloadable from the web server

Directory listings

Server directories browsable by anyone

Sensitive file exposure

Miscellaneous sensitive files accessible that should be private

Open database ports

Database services like MySQL, PostgreSQL, MongoDB, or Redis accessible from the internet

Exposed dev servers and admin tools

Development servers, Docker APIs, or monitoring tools reachable on non-standard ports

Unprotected admin panels

Admin dashboards accessible without login

Leaking API endpoints

APIs returning user data or credentials to unauthenticated requests

Debug endpoints in production

Development and diagnostic routes left enabled after deployment

Missing security headers

HSTS, X-Frame-Options, Content-Security-Policy, and other protective headers absent

CORS misconfiguration

API allows requests from any website, which can expose user data

Insecure cookie flags

Session cookies missing Secure, HttpOnly, or SameSite flags

Server version leakage

Response headers reveal server software and version to attackers

How it works

Preflyt scans your live deployment from the outside - the same way an attacker would see it. All checks are read-only. Nothing is modified, exploited, or stored beyond the scan results.

CLI tool

Run scans from your terminal or CI/CD pipeline with npx preflyt-check. No install needed.

$ npx preflyt-check https://your-site.com
See integration guide →

Shareable reports

Every scan can generate a shareable report link. Share it with your team, post it on social media, or keep it as a record. Reports expire after 30 days.

What Preflyt is not

Preflyt does not scan source code. It does not perform penetration testing or exploit vulnerabilities. It does not replace tools like Snyk, Nessus, or Burp Suite. Preflyt catches the obvious deployment mistakes that those tools don't look for - exposed config files, open database ports, missing security headers.

AI agent integration

AI coding agents like Claude Code, Cursor, and OpenClaw can use Preflyt automatically. Add the skill file to your project and your agent runs a scan after every deploy.

Download skill file →
Try a free scan

No signup. No tracking. No data stored.