Preflight roadmap
Preflight starts with one focused promise: show what anonymous visitors can already read before you ship. Features stay narrow, read-only, and explicit.
Supabase exposure check
ImplementedCheck Supabase tables using your public project URL and anon key through Preflight server API routes.
- Uses HEAD requests only.
- Does not fetch or store row bodies.
- Rejects service-role keys.
- Checks entered table names, and tries auto-discovery when the project allows it.
- Shows whether anonymous visitors can read existing rows.
- Persists only sanitized scan metadata and safe findings.
- Reveals Grade F table details only after email entry.
App URL discovery
ImplementedPaste a deployed app URL and Preflight will inspect public frontend files to find Supabase configuration.
- Detects public Supabase project URLs.
- Detects public anon keys.
- Shows safe previews only.
- Uses strict SSRF protection.
- Scans public HTML and same-origin JavaScript bundles only.
- Does not crawl the whole site.
- Does not submit forms.
- Does not run table checks automatically.
- Requires user confirmation before using discovered config.
Deployed app security checks
PlannedFuture checks may inspect public frontend security posture beyond Supabase config discovery.
- Security headers.
- Exposed source maps.
- Sensitive frontend env leaks.
- Basic public-file checks.
User dashboard
LaterA place to view previous scans, track repeated findings, and manage reports over time.
Email delivery
LaterAutomatically mail full reports once delivery, DNS, spam checks, and templates are worth the extra complexity.
Team accounts
LaterAccounts for saved scopes, shared scans, and team review history.
Full security audit scope
Not v1Preflight does not claim to prove an entire Supabase app is secure. To stay lean and accurate, v1 intentionally omits:
- Analyzing every RLS policy code snippet.
- Running write, update, or delete tests.
- Invoking custom RPC functions.
- Scanning storage buckets.
- Checking private repositories.
- Guaranteeing overall security compliance.
- Replacing a thorough manual security review.
Want to influence what comes next?
If Preflight found something useful or confusing, send feedback. The roadmap should follow real user pain, not feature bloat.