Preflight
Supabase safety check
Scan ToolExample ReportRoadmap
Read-onlyNo row bodiesNo service-role key
Feature blueprint

Preflight roadmap

Preflight starts with one focused promise: show what anonymous visitors can already read before you ship. Features stay narrow, read-only, and explicit.

Available now

Supabase exposure check

Implemented

Check Supabase tables using your public project URL and anon key through Preflight server API routes.

  • Uses HEAD requests only.
  • Does not fetch or store row bodies.
  • Rejects service-role keys.
  • Checks entered table names, and tries auto-discovery when the project allows it.
  • Shows whether anonymous visitors can read existing rows.
  • Persists only sanitized scan metadata and safe findings.
  • Reveals Grade F table details only after email entry.
Limitation: this is an exposure test, not a full security audit. Grade A means no anonymous-readable rows were found in the checked tables, not that the whole project is secure.

App URL discovery

Implemented

Paste a deployed app URL and Preflight will inspect public frontend files to find Supabase configuration.

  • Detects public Supabase project URLs.
  • Detects public anon keys.
  • Shows safe previews only.
  • Uses strict SSRF protection.
  • Scans public HTML and same-origin JavaScript bundles only.
  • Does not crawl the whole site.
  • Does not submit forms.
  • Does not run table checks automatically.
  • Requires user confirmation before using discovered config.
Limitation: App URL discovery only finds Supabase config exposed in public frontend files. It does not prove the deployed app is secure.
Coming soon

Deployed app security checks

Planned

Future checks may inspect public frontend security posture beyond Supabase config discovery.

  • Security headers.
  • Exposed source maps.
  • Sensitive frontend env leaks.
  • Basic public-file checks.
Not implemented yet. This would be a separate scope from Supabase config discovery.
Later

User dashboard

Later

A place to view previous scans, track repeated findings, and manage reports over time.

Not building yet because Preflight needs to prove users care about scan results first.

Email delivery

Later

Automatically mail full reports once delivery, DNS, spam checks, and templates are worth the extra complexity.

Current reveal happens on-page only.

Team accounts

Later

Accounts for saved scopes, shared scans, and team review history.

Not building yet to keep the MVP simple and low-friction.
Not planned for v1

Full security audit scope

Not v1

Preflight does not claim to prove an entire Supabase app is secure. To stay lean and accurate, v1 intentionally omits:

  • Analyzing every RLS policy code snippet.
  • Running write, update, or delete tests.
  • Invoking custom RPC functions.
  • Scanning storage buckets.
  • Checking private repositories.
  • Guaranteeing overall security compliance.
  • Replacing a thorough manual security review.

Want to influence what comes next?

If Preflight found something useful or confusing, send feedback. The roadmap should follow real user pain, not feature bloat.

Send feedback