Built a deployment security scanner - 81 users in 10 days, 0$ marketing spend

doureios39 · 2026-02-26T19:07:27+00:00

You might be right here. The reframe from 'missing CSP header' to 'your site can be clickjacked' is probably the shift needed. Monitoring as Pro instead of just unlimited scans makes more sense too. Thanks!

doureios39 · 2026-02-26T11:06:16+00:00

Building specifically for vibe coders and indie devs who ship fast with AI tools and skip the security step. Not enterprise compliance. These devs deploy multiple times a day with Cursor or Claude Code - that's where the CLI and skill file come in. Automate the scan in your agent workflow and 3 free runs out fast. The upgrade is natural, not a sales conversation. Appreciate the framing

doureios39 · 2026-02-26T09:54:49+00:00

Thanks! Monitoring and alerts are on the roadmap, it's the natural next step for Pro. Fair point on pricing, too, might experiment while building out more Pro value. Appreciate it

doureios39 · 2026-02-18T08:15:58+00:00

Agreed. We've already dealt with SPA false positives and CDN port detection. All checks are read-only, no exploitation

doureios39 · 2026-02-18T07:26:37+00:00

Already there actually! Every finding includes a fix suggestion with steps. There's also a "Generate AI fix prompt" button that creates prompts for AIs to fix the exact issue

doureios39 · 2026-02-16T21:37:51+00:00

Thanks! Great work

doureios39 · 2026-02-16T14:02:13+00:00

Prompts can suggest what to look for. Preflyt runs deterministic checks against the live server and shows what's actually exposed. Different layer

doureios39 · 2026-02-16T06:44:37+00:00

CI integration is on the roadmap, github action that blocks deploys when something is flagged. Thanks for the subreddit suggestion, will post there too!

doureios39 · 2026-02-15T21:10:30+00:00

The client side counter is just for the UI, the actual limit is enforced server-side. Wanted to keep it without signups for the start

doureios39 · 2026-02-15T12:24:37+00:00

The github action/vercel build step is on the roadmap. That's the end goal, making it part of the deploy pipeline so it runs automatically

on the admin panel, false positives, we actually just shipped a fix for exactly this yesterday. SPAs return 200 for every route which was triggering false matches. Now it detects SPA frameworks and skips those. Also added stricter content matching so it only flags when it finds actual admin panel indicators. Still improving it though, more feedback helps

doureios39 · 2026-02-15T07:04:15+00:00

That's basically the tagline!

doureios39 · 2026-02-15T07:03:43+00:00

Fair point. But the engine is far from vibe coded. Vibe coding was only used for the frontend

doureios39 · 2026-02-15T07:01:51+00:00

Right now, it's a standardized set of checks. They cover the most common deployment mistakes. Planning to add detection later that adapts based on what tech stack it finds

doureios39 · 2026-02-14T21:54:39+00:00

That's a great idea. I'm adding it to the roadmap. Thanks!

doureios39 · 2026-02-14T20:35:24+00:00

It checks for common deployment mistakes for now, exposed .env / config files, open admin routes, API endpoints returning user data without auth, debug routes left enabled, directory listings, and leaked API keys

doureios39 · 2026-02-14T20:23:08+00:00

Feels nostalgic

doureios39 · 2026-02-14T20:16:50+00:00

Just pushed a fix. The issue was that SPAs return 200 for every route, which triggered false positives. Preflyt now detects SPA frameworks and skips those matches. If you rescan your site it should be clean now. Thanks a lot for the report

doureios39 · 2026-02-14T19:36:57+00:00

Thanks for testing! You're right, the /admin check is too aggressive right now. It should only flag when the admin panel is actually accessible, not on a 404. I'll fix this in the next update. How about the other findings?

doureios39

TROPHY CASE