Probe checks public-surface risks that are common in fast-shipped web apps. The practical question is: what can an outside unauthenticated request see, trigger, or learn from the submitted URL?
Probe focuses on observable launch risks. It does not inspect your private source code, database, admin account, private logs, dependency tree, or cloud dashboard.
Supported checks
Probe checks for public source maps that may expose readable source code, route names, comments, or API patterns.
Probe checks for exposed environment files and backup files, including public .env-style files that should never be reachable from the web.
Probe checks for secret-like keys in browser-shipped code, including service-role or secret-key patterns for Supabase, Stripe, AI services, and backend services. A public anon key may be expected in some apps. A service-role key or provider secret in browser code is usually urgent.
Probe checks for missing or weak browser security headers such as Content-Security-Policy and Strict-Transport-Security. Missing headers are not always critical by themselves, but they are useful hardening signals.
Probe checks for public admin, debug, internal, and test surfaces that appear reachable without authentication.
Probe runs targeted checks for exposed AI or admin endpoints that may trigger costly or privileged actions.
Probe checks for risky CORS behavior on likely sensitive routes.
Probe checks likely Stripe webhook routes for signature-verification signals.
What Probe does not check
Probe does not log in, test private workflows, inspect your private source code, review database policies, scan dependency CVEs, or certify compliance.
Probe also does not need your GitHub token, Supabase dashboard, Stripe secret key, hosting login, AI service key, database export, or private credentials.
How to read the result
Treat Probe severity as a routing signal. Critical findings need fast review by the person who can rotate keys, change server code, lock down a route, or adjust production configuration. Lower-severity findings may still matter, especially before launch or customer diligence.
The full audit gives the detail needed to route and fix each finding: severity, evidence, exploitability, and patch prompts for your AI coding tool.