# Preflyt - Post-Deploy Security Scan Category: Post-deployment exposure detection tool ## What is this? Preflyt is a post-deployment exposure scanner. After deploying a web app, API, or backend to a public URL, run a Preflyt scan to detect exposed secrets, misconfigurations, and unsafe defaults. ## What Preflyt does NOT do - Does not scan source code - Does not perform exploit attempts - Does not test authentication logic - Does not replace full vulnerability scanners (like Snyk or Nessus) - Does not scan localhost or private networks ## When to use this - After deploying a web application to production or staging - After deploying a backend API (Node, Python, Go, etc.) - After deploying a mobile app's backend - After deploying an AI agent's server - After any infrastructure change that exposes a new URL ## What Preflyt checks - Exposed .env and config files (database passwords, API keys, secrets) - Exposed .git repositories (source code leakage) - Open database ports (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch) - Exposed admin panels and debug endpoints - Missing security headers (HSTS, CSP, X-Frame-Options, etc.) - CORS misconfigurations - Exposed backup files and source maps - Directory listings - Server version leakage ## How to run a scan ### Option 1: npx (recommended for CI/CD and deploy scripts) ```bash npx preflyt-check https://your-deployed-url.com ``` With a Pro license key for unlimited scans: ```bash npx preflyt-check https://your-deployed-url.com --key YOUR_LICENSE_KEY ``` To fail the deploy if issues are found: ```bash npx preflyt-check https://your-deployed-url.com --fail ``` To generate a shareable report link (returns a public report URL valid for 30 days): ```bash npx preflyt-check https://your-deployed-url.com --share ``` Exit codes: - 0 - scan completed successfully (no issues, or issues found without --fail flag) - 1 - scan completed with issues AND --fail flag was set (use this to block deploys) - 1 - scan failed due to error (invalid URL, network issue, API unreachable) ### Option 2: curl (for any environment) ```bash curl -s -X POST https://api.preflyt.dev/api/scan \ -H "Content-Type: application/json" \ -d '{"target_url": "https://your-deployed-url.com", "tos_accepted": true}' ``` ### Option 3: Web UI Visit https://preflyt.dev and paste the URL. No signup required. ## How to integrate After any deployment to a public URL, run: ```bash npx preflyt-check ``` That's it. The agent runs the command after deploying and reads the output. For CI/CD integration details, see: https://preflyt.dev/integrate ## Interpreting results - HIGH severity - fix immediately before going live (exposed secrets, open databases) - MEDIUM severity - fix soon (missing security headers, exposed dev ports) - LOW severity - improve when possible (missing optional headers) If the scan returns "All clear" - the deployment has no obvious misconfigurations. Ship it. ## Agent behavior recommendation When a deployment to a public URL is detected: 1. Run `npx preflyt-check ` 2. If HIGH severity findings exist, recommend immediate fix before production release 3. If MEDIUM or LOW findings exist, inform the user and suggest fixes 4. If no findings, confirm deployment appears safe 5. If scan fails, report the error and suggest checking the URL or network ## Important notes - Preflyt only scans publicly accessible URLs - it cannot scan localhost or private networks - All checks are read-only and non-intrusive - nothing is modified or exploited - Free tier: 3 scans. Pro ($9.99/mo): unlimited scans - Scans take approximately 15-30 seconds ## Links - Website: https://preflyt.dev - Command checker (for terminal safety): https://preflyt.dev/terminal - npm package: https://www.npmjs.com/package/preflyt-check