Get started
Tools

flowpatrol_probe

Quick security surface check — secrets, headers, paths, and Supabase RLS.

What it does

flowpatrol_probe runs four checks in parallel against your target URL and returns results in about 2 minutes. No authentication or crawling — just a fast, surface-level assessment.

Cost: 1 credit | Time: ~2 min

Parameters

ParameterTypeRequiredDescription
target_urlstringYesThe URL of your deployed application

Example

Dashboard: Go to Scans → New Scan, enter your URL, and select Probe.

MCP: Ask your AI assistant:

Run a Flowpatrol probe on https://myapp.vercel.app

Checks performed

JS bundle analysis

Scans all JavaScript files loaded by your page for leaked secrets and credentials:

  • Supabase service role keys
  • OpenAI / Anthropic API keys
  • Stripe secret keys
  • AWS access keys and secrets
  • Firebase admin credentials
  • Generic API tokens and passwords
  • Private keys (RSA, SSH)

Security headers

Audits HTTP response headers for common misconfigurations:

  • HSTS — is Strict-Transport-Security present with a reasonable max-age?
  • CSP — is Content-Security-Policy set?
  • X-Frame-Options — is clickjacking protection enabled?
  • X-Content-Type-Options — is MIME type sniffing prevented?
  • CORS — is Access-Control-Allow-Origin: * overly permissive?
  • Server — is the server header leaking version information?

Exposed paths

Probes for sensitive files and endpoints that shouldn't be publicly accessible:

  • .env and .env.local
  • .git/config
  • phpinfo.php
  • /api/admin, /admin, /debug
  • /.well-known/ endpoints
  • Framework-specific debug pages
  • Backup files (.sql, .bak)

The probe includes false-positive filtering for SPA catch-all routes. If your app returns a 200 for every path (common with React/Next.js SPAs), the probe checks the response body to determine if it's a real file or just the SPA shell.

Supabase RLS

If your app uses Supabase, the probe automatically:

  1. Extracts the Supabase URL and anon key from your page's JavaScript
  2. Tests whether common tables are readable without authentication
  3. Reports any tables that return data when they shouldn't

Tables tested include: users, profiles, accounts, orders, payments, documents, messages, sessions, api_keys, settings, audit_logs, notifications, subscriptions, invoices, files.

Response format

The probe returns a structured object with:

{
  "target": "https://myapp.vercel.app",
  "checks_run": 4,
  "issues_found": 3,
  "issues": [
    {
      "check": "js_secrets",
      "severity": "critical",
      "detail": "Supabase service_role key found in main.js"
    },
    {
      "check": "headers",
      "severity": "medium",
      "detail": "Missing Content-Security-Policy header"
    }
  ],
  "clean_checks": ["exposed_paths"]
}

Your AI assistant will format this into readable findings with fix suggestions.

Tool Reference

Complete reference for the three Flowpatrol security tools.

flowpatrol_scan

Full security test with AI-powered crawling and attack simulation.

On this page

What it doesParametersExampleChecks performedJS bundle analysisSecurity headersExposed pathsSupabase RLSResponse format