preflyt

# Preflyt - Post-Deploy Security Scan

After deploying a web app, API, or backend to a public URL, run a Preflyt scan to detect exposed secrets, misconfigurations, and unsafe defaults.

## When to use this

- After deploying a web application to production or staging
- After deploying a backend API (Node, Python, Go, etc.)
- After any infrastructure change that exposes a new URL

## How to run a scan

```bash
npx preflyt-check https://your-deployed-url.com
```

With options:
```bash
# Fail if issues found (for CI/CD)
npx preflyt-check https://your-deployed-url.com --fail

# Generate a shareable report link
npx preflyt-check https://your-deployed-url.com --share

# With Pro license for unlimited scans
npx preflyt-check https://your-deployed-url.com --key YOUR_LICENSE_KEY
```

Exit codes:
- 0: scan completed, no issues (or issues found without --fail)
- 1: issues found with --fail set, or scan error

## What it checks

- Exposed .env and config files (database passwords, API keys)
- Exposed .git repositories (source code leakage)
- Exposed backend source code (app.py, server.js, config.php served as static files)
- Exposed database files (dynamic detection using project name - {name}.db, {name}.sqlite3)
- Open database ports (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch)
- Directory listing detection and dangerous file parsing
- Exposed admin panels and debug endpoints
- Missing security headers (HSTS, CSP, X-Frame-Options, CORS)
- Exposed backup files and source maps
- Server version leakage
- Insecure cookie flags

## What it does NOT do

- Does not scan source code or local files
- Does not perform exploit attempts
- Does not test authentication logic
- Does not scan localhost or private networks
- Does not read or transmit any local environment variables, files, or code

## Privacy

- Without --share: all results display in the terminal only. No data is sent to preflyt.dev beyond the initial scan request containing the target URL.
- With --share: scan results...

# Preflyt

Post-deployment security scanner. Checks your live web app for exposed secrets, databases, source code, open ports, and missing security headers.

## What It Does

After your agent deploys an app, Preflyt scans the live URL from the outside (same perspective an attacker has) and reports misconfigurations in 30 seconds.

## How to Use

Your agent runs this after any deploy:
```bash
npx preflyt-check https://your-site.com
```

Or add the SKILL.md to your project and the agent picks it up automatically.

## Examples

- Agent deploys a Next.js app to Vercel, then runs `npx preflyt-check` to verify nothing is exposed
- Agent sets up a VPS backend, then scans for open database ports, exposed source code, and missing headers
- Agent deploys a vibe-coded app, scan detects the SQLite database is downloadable at {projectname}.db
- CI pipeline runs the check with `--fail` to block deploys with HIGH severity findings

## Requirements

- Node.js (for npx)
- Public URL to scan (no localhost)

## Troubleshooting

- **Scan blocked (403):** Site has bot protection enabled. Wait or scan manually at preflyt.dev
- **Timeout:** URL may not be reachable. Verify the deployment is live first
- **Rate limit:** Free tier is 3 scans. Use `--key` flag with a Pro license for unlimited