DEV Community

Cover image for The Paywall Was a Painted Door
Manan Santoki
Manan Santoki

Posted on

The Paywall Was a Painted Door

#security #showdev #sideprojects #webdev

How a $300 plane ticket turned into a free flight-search tool, a responsible-disclosure
report, a Reddit fight, and 1,700 visitors in a month.

Live: https://letsgowild.msantoki.com
Not affiliated with Frontier Airlines. Built by Manan Santoki.

LetsGoWild — map-first GoWild! flight search
LetsGoWild: an "Anywhere from PHX" search — 28 live options, priced route arcs, and a results rail, all in one map-first view.

TL;DR

I went looking for a cheap round trip to visit family. I ended up finding a $200
all-you-can-fly pass, a cottage industry of paywalled tools wrapped around free
Frontier data, a security hole I disclosed responsibly, and — two days and a lot
of caffeine later — a free alternative I built myself. It launched, Reddit
noticed, the competition wasn't thrilled, the moderators removed my post and
eventually permanently banned me — and ~316 people signed up anyway in the
first weeks. This is the whole thing, start to finish.

Chapter 1 — The $300 problem

It started the way most side projects do: I wanted something for myself.

I was planning a summer trip from Phoenix (PHX) to Atlanta (ATL) to visit
family. I pulled up the usual round-trip fares and the total kept landing around
$300+. Not outrageous, but not nothing either — and I was flexible on dates,
which always makes me feel like I'm leaving money on the table when I just book
the first thing I see.

Then I noticed Frontier was selling GoWild! summer passes for ~$200 — an
all-you-can-fly pass for the season. If I was going to fly more than a couple of
times, the math was obviously in favor of the pass. So, like any normal person
about to spend $200, I went down the rabbit hole of how does this actually
work?

Chapter 2 — The rabbit hole

GoWild! has rules. Seats are limited per flight, availability opens on its own
schedule, fares show up as a separate class, and the only way to really "win" at
it is to be flexible and fast. The official Frontier site is not built to make
any of that easy.

So I did what everyone does — I went to r/gowildfrontier to see how the
community handles it. Scattered through the threads were mentions of a tool
called gopassflights.com. I checked it out. It's a flight-search service
that, under the hood, scrapes Frontier's own booking data through URL/endpoint
manipulation and presents it in a nicer interface — exactly the kind of thing I
needed.

And it wasn't the only one. There's a small ecosystem of these GoWild! trackers,
all doing fundamentally the same thing: pulling Frontier's public flight data and
re-presenting it.

I tried them. And one thing genuinely annoyed me.

Chapter 3 — The thing that annoyed me: the paywall

gopassflights, like the others, was paywalled into tiers:

Tier Price What it unlocked
Free $0 One-to-one airport search, GoWild!/non-stop filters, one-way + round-trip, browser alerts, basic fare classes — capped at 3 searches
Plus $4.89/mo (3-day trial) One-to-all airports, inbound search, available-seat counts, range filters, day trips, email/text alerts, GoWild! calendar, interactive map, weather
Pro $7.89/mo (5-day trial) Multi-airport → all, Reward Miles seats, all sort/filter options, fare-drop alerts, "lightning fast" speed, pinned airports
Ultra $9.89/mo (7-day trial) Dark mode, month/year search, GoWild! fare calendar, route builder, hidden routes, red-eye, proximity sort, mobile web app — plus "9 features coming soon"

gopassflights tiered pricing — Free, Plus, Pro, Ultra
gopassflights' "Upgrade your plan" page: real-time data, multi-airport search, the map, miles fares, and even round-trip all live behind $4.89–$9.89/mo tiers.

And it wasn't just them — the whole market paywalls

gopassflights was the one I ended up deepest in, but as I surveyed the space it
became obvious this is the norm, not the exception. Every comparable GoWild!
tracker charges for the same scraped Frontier data:

Service Free tier? What it costs What sits behind the paywall
gopassflights.com Yes — capped at 3 searches $4.89 Plus / $7.89 Pro / $9.89 Ultra per month Multi-airport search, interactive map, calendar, Miles fares, alerts, dark mode, month/year search…
searchgwp.com (SearchGWP) No free tier at all $8.95/mo (web) · $9.95/mo (web+apps) · $79.95–$89.95/yr · $24.95/3mo Everything — even basic 1→all-cities, round-trip, any-date, day-trip, and sorting are subscription-only
the1491club.com Yes — "Basic Economy" (beta) $4.91 first month → $9.95/mo ("First Class") Real-time availability + pricing, any-date search, early-booking pricing, Asia + international connections
gowilder.net Yes — 1 search per week $5/mo intro → $10/mo Premium (7-day trial) AI trip planner (capped 2M tokens/mo), unlimited searches, interactive maps, flight alerts/SMS, inbound + return search, live seat availability

Look at what each one chooses to gate. SearchGWP doesn't even offer a free tier —
you subscribe or you leave. the1491club gives you a free "Basic Economy" plan but
puts real-time availability and pricing — the entire point of the tool —
behind "First Class." gowilder.net's free tier is literally one search per
week with no maps and no alerts, while the genuinely useful stuff (AI planner,
unlimited search, live seats, alerts) is $10/mo.

Every single one of them gates the same scraped Frontier data that none of
them own. That's the whole market. It's the backdrop for everything that follows.

Here's the part I want to be honest about: I don't mind paying for software. I
pay for Spotify, Netflix, Prime, a stack of other subscriptions. If a tool makes
my life easier, take my money.

But this felt different. None of these services own the data. It's Frontier's
flight data. Every one of these tools — gopassflights, the others, and the one I
eventually built — is a scraper. We're all wrappers around someone else's data.
Charging a monthly subscription, with a "9 features coming soon" upsell, for a
cosmetic layer over data you don't own and arguably aren't supposed to be
reselling, sat wrong with me. That's the core of my philosophy and I'll come back
to it.

Chapter 4 — The 3-search limit, and what I found behind it

The free tier capped you at 3 searches. Fine — except, being a developer, I
opened DevTools out of habit, popped into the Network tab, and watched what the
app actually did.

The cap was enforced entirely in client-side JavaScript. The backend didn't
care. It would happily answer any search, from any caller, for any tier — the
"Plus/Pro/Ultra" gates lived only in the JS that drew the UI. The server saw a
request, read the params, and returned full results. The paywall was a painted
door.

Specifically, what I found:

  1. A hard-coded, shared userID baked into /files/scripts/funcs.js (var userID = "NGY2eWc3dnU6OGc1dDZmdjk"). Every single visitor used the same value. The Socket.IO server at wss://api.gopassflights.com:2443/socket.io/ accepted it from any origin. That ID was a label, not an authenticator.
  2. No tier enforcement on the WebSocket. A standard Engine.IO v4 / Socket.IO v4 handshake followed by a get event streamed back full results regardless of which "paid" features the payload requested — one-to-many cities (Plus), multi-airport groups (Pro), "All airports" fan-out (Plus/Pro), Reward Miles fares, all sort options.
  3. The browser-fingerprint object was unused. Stub data sailed right through.
  4. No socket-level rate limiting. The only usage tracking was a separate HTTP endpoint on a different path from the data plane — skipping it changed nothing.
  5. Origin wasn't actually enforced on the WS upgrade.

In other words: anyone who read the JS could replicate every paid feature in an
afternoon.

Chapter 5 — Responsible disclosure

I didn't post this. I didn't tweet it. I didn't dump it in the subreddit.

I built a private proof-of-concept (a working page that talked directly to
their Socket.IO endpoint and exposed every paid feature without auth), found the
founder's email, and wrote a clear, professional disclosure. The full report laid
out all six findings above and a prioritized remediation roadmap:

  1. Issue per-session signed tokens (short-lived JWT/signed cookie bound to account + tier + IP) instead of a shared userID. Reject connections without one.
  2. Enforce tier on every get event server-side — the single most impactful fix. The server knows the plan from the token; it should reject above-tier payloads instead of trusting the client to hide buttons.
  3. Rate-limit the socket per user and per IP.
  4. Validate the fingerprint server-side or remove the dead code.
  5. Stop exposing long-lived IDs in client JS; mint and rotate session-bound IDs.
  6. Add CSP/origin checks on the WS upgrade as defense-in-depth.
  7. Optionally split the data plane — free features on a public socket, everything else behind authenticated channels.

The founder wrote back, and to his credit, he was gracious about it. He admitted
the client-side enforcement was a deliberate MVP trade-off to ship fast, that
he'd been watching backend logs for competitor abuse and planned to harden it
"when ready." He thanked me — genuinely, at length — for building an entire demo
just to prove the point and for handing him a step-by-step fix instead of just a
list of holes.

That was the ethical end of it. I reported, they acknowledged, done.

The responsible-disclosure email thread with the gopassflights founder
The disclosure thread — my report on the bottom, the founder's grateful reply above it. (Private correspondence; redact before any public use.)

Chapter 6 — From "how does this work" to "I can build this"

But by then I'd done something else as a side effect of all that poking around:
I'd learned exactly how the data layer worked. How these tools talk to
Frontier's booking backend, how the flight details come back, how to structure
the requests, how to parse and cache the results.

And I had two strong opinions forming:

  • It should be free. Permanently. Because none of us own this data.
  • The existing UX was bad. The data was there, but the presentation — how results were shown, formatted, filtered, and compared — was clumsy across every tool I tried. I knew I could do that part dramatically better.

So I sat down. Two days. ~400mg of caffeine. Claude as a pair-programmer. And
I shipped the first working draft of what is now letsgowild.msantoki.com.

Chapter 7 — What I actually built

This is the part that matters, because "another GoWild tracker" undersells it.
Here's what's in the product and why each piece earns its place in a real
booking workflow.

Search that matches how people actually fly

  • Specific mode — you know your dates. One-way or round-trip, depart + optional return, with calendars that won't let you pick the past.
  • Flexible mode — you don't know your exact dates, which is the normal state for a GoWild! pass holder. You give it a departure window (up to 30 days) and a stay-length range (e.g. 2–5 nights). It scans every day in the window in parallel, cross-products departures against returns, filters by your stay length, totals the cash, and hands back ranked round-trip pairs. No more clicking 25 date combinations by hand. (Real run: PHX↔ATL, depart May 25–29, 2–5 nights → cheapest combo $40.62 total.)
  • "Anywhere" search — origin or destination set to a curated list of Frontier-heavy hubs, so you can ask "where can I cheaply go from PHX?" without triggering a wasteful all-airports fan-out.
  • Multi-airport fan-out — pick several origins/destinations (e.g. all three NYC airports) and the backend fans the search across them.

The search pill with the Specific / Flexible toggle
The search pill — flip between **Specific* (you know your dates) and Flexible (a date window + stay length).*

Flexible mode: departure window and stay-length stepper
Flexible mode: pick a departure window (May 25–29) and a stay-length range (e.g. 2–5 nights).

Ranked round-trip pairs returned by flexible search
The payoff: every valid round-trip combination, ranked by total cash. Cheapest here is $40.62.

Seeing the data clearly — the part competitors got wrong

  • All fare classes side by side — Standard, Discount Den, GoWild!, and Miles in one view, so you can instantly see what the GoWild! seat actually saves you versus paying cash.
  • Interactive map-first interface (MapLibre) — route arcs, airport markers, and live results all share one map context. You can see the route you're about to book, not just read a table.
  • 60-day calendar — spot the cheapest days to fly across two months at a glance.
  • 30-day price history with "cheapest in 30d" tags — know whether the fare you're looking at is actually a good price or just the price today.
  • Deep filtering and sorting — nonstop, GoWild!-only, no-overnight, fare range, duration, stops, departure/arrival time, distance, available-seat counts — all of it, free, none of it behind a tier.

Map-first interface with route arcs and result legs
Map-first: route arcs, airport markers, and the results rail share one context — you can see the route you're booking.

Fare-class comparison with 30-day price history
Every fare class side by side — here a PHX→LAS nonstop where the GoWild! seat is *$15.41** vs $243.98 standard — with 30-day price history and a "cheapest in 30d" tag.*

Filters, sort options, range sliders, and the destination grid
Every filter and sort, plus dual-range sliders for duration, fare, stops, times, distance, and seats — all free, none of it tiered.

Planning a whole trip, not just one flight

  • Trip Builder — add legs from results into a drawer, reorder them, inspect layovers, name the trip. Anonymous trips live in local storage and migrate to your account after login so nothing is lost.
  • AI trip planner (OpenRouter-backed) — it calls real flight-search tools server-side, computes layovers, and proposes itineraries. If the AI key isn't configured, everything else still works — it degrades cleanly.

Trip Builder panel assembling a multi-leg itinerary
Trip Builder: add legs from results, reorder, inspect layovers, and see running totals (cash, flying time, overnights).

Not missing the seat you wanted

  • Watches — subscribe to a route + date + fare class with an optional max price.
  • Browser push alerts — a background worker re-checks active watches on a schedule and pushes you a notification when a GoWild! seat opens or a fare drops below your target, with de-duplication so you don't get spammed.

The plumbing that makes it fast and stays online

  • A background worker pre-warms popular routes every 30 minutes, caches day-level summaries in Redis, and writes per-fare-class snapshots into fare history — so common searches feel instant and history accrues over time.
  • Streaming search results render into the rail as they arrive.
  • Real auth — Argon2 password hashing, JWT access + refresh tokens, a "remember me for 7 days" option, email verification, password reset, and an active-sessions manager.
  • Admin + access control — signup pause, a waitlist, single-use email invites, and in-app + push announcements (this is what saved me during the launch surge — see below).

Stack, for the record: FastAPI + SQLAlchemy (async) + PostgreSQL + Redis +
APScheduler on the backend; Next.js 16 / React 19 / TypeScript / Tailwind /
MapLibre on the front end; the whole thing deployed as a Docker stack.

Chapter 8 — Launch, and the Reddit reaction

I posted it to r/gowildfrontier (as Personal_Citron9609): a free GoWild!
tracker with a map view, 60-day calendar, and price alerts — "what's missing?"

Two things happened at once.

The pushback

The gopassflights devs showed up. One account ("GoWildDevs") commented that
the airport-selection list "looked identical to ours," that they'd "checked the
dev tools," and that my site "might be caching our flight data" — asking me to
"build your own infrastructure rather than using our processed files." A second,
similar comment echoed it almost word-for-word. There were a few throwaway /
fake-looking accounts piling on with the same line.

The argument escalated to: "we have to pay server costs for every search he
scrapes from us… he's draining someone else's infrastructure."

My response was simple, and public:

"Funny — when I emailed you privately about the security holes in your app, you
were grateful. Now you're whining about me 'draining your infrastructure'? Pick
a lane."

And:

"First off, I am not using your infrastructure at all. Secondly, I'll open-source
my code when I'm done working. If you're still worried I'm using your stuff under
the hood — you can DM me."

A neutral commenter (SD-Buckeye) cut to the real point that applies to all of
us: "Aren't you guys just breaking Frontier's ToS anyway?" — which is exactly
why I think none of these tools have any business charging money. We're all
standing in the same glass house.

The support

The encouragement, though, massively outweighed the noise:

  • "We GoWilders thank you!!!" — DrMoLew
  • "Love the interface/dark mode — sickkk!" — Soccer-Plane-444
  • "This is just faaaantastic! The look, the features, the ease of use… that's me using it for about 30 seconds. Hats off to you!" — Silent_Garden_2668
  • "Great work! Lots of potential. Keep it going." — CarbonCubSS
  • "The UI and interface is crazy ngl." — sshivanshh11
  • "Love it! Would love a Discord so a community could talk about it." — whatevethefuck212
  • "Haven't bought the GoWild yet but this'll help me decide. So this is what hardworking people do with their free time while I'm binging Netflix." — 2_krazykats

That last one stuck with me.

Chapter 9 — The surge, and going invite-only

Then the registrations hit.

100+ sign-ups in a single day — more than my email-verification limits were
provisioned to handle. Rather than let verification emails silently fail, I
flipped the site to invite-only for a few days behind this message:

"Too many registrations in the last 24 hours, so new signups are temporarily
paused. Enter your email below to request access. We'll notify you when
registration opens again, or send you a direct invite if access is available
sooner."

The admin tooling I'd built — signup pause, waitlist, single-use invites — turned
out to be exactly what I needed within 24 hours of launch. Good luck, partly.
Mostly: building the boring access-control plumbing up front paid off immediately.

Chapter 10 — Removed from the subreddit it was built for

The launch post didn't survive long. On May 5, r/gowildfrontier moderators
removed it for self-promotion.

I sent modmail to ask for it back. The exchange (with mod SuccessfulOutcome130):

Me: "I understand promotion is not allowed in this subreddit. But I am not
charging any money and I am never planning to. I've had people using my services
and I plan to keep it that way. I'd appreciate if you can allow my post back."

Mod: "Unfortunately we've had many issues with 'free' tools that have spammed
the sub in the past. Additionally, to date, **every 'free' tool has ended up
monetizing.* The direction of the sub is not for tooling but rather to post
experiences and trip reports. Please respect the rules of the sub; it is very
common in subreddits to ban self-promotions (free or otherwise)."*

Me: "I have no plans to monetize this, and I fully understand the rule against
self-promotion. My intent was simply to share a tool the community could use
freely. Personally, I don't think people should have to pay for something that
isn't really theirs to sell. Tools like gopassflights and others are a good
example — as a developer, I can tell their data isn't coming from official
channels, and it genuinely bothers me to see users charged for that. I'm not here
to market anything."

Mod: "I understand your frustration and I genuinely believe you have every
intention to keep it free. However, the reality is that costs will increase and
monetization will be the only path forward. Best of luck with your business and I
appreciate your understanding of the rules moving forward."

I'll be straight about how this felt. The rule — no self-promotion, free or
otherwise — is a legitimate, common subreddit rule, and on paper the mod applied
it consistently. But from where I sat, the field didn't feel level. The same
community happily name-drops the paid tools in conversation, while the stated
logic — "every free tool eventually monetizes, so even a free one is suspect"
effectively pre-judges the free option by the track record of the paid ones.
It read as protecting the exact status quo I was trying to offer an alternative
to.

Then it went a step further. On May 23, I got a permanent ban from
r/gowildfrontier — this time for a comment, where I'd done little more than
mention my free service:

"You have been permanently banned from participating in /r/gowildfrontier
because your comment violates this community's rules. … If you use another
account to circumvent this community ban, that will be considered a violation of
the Reddit Rules and may result in your account being banned from the platform
as a whole."

So: removed for posting it, then banned for mentioning it. My read — and I'll
label it as a read, not a proven fact — is that the moderation leaned toward the
incumbents who market in that space, free or paid. Either way, the irony wasn't
lost on me: walled out of the one subreddit the tool was literally built for.

It didn't change the math, though. The original (now-removed) post had already
sent its wave of traffic, people had the link, and word of mouth carried it the
rest of the way. You can remove a post. You can't un-share a URL.

Chapter 11 — The numbers

A few weeks in, the traffic told the story (via Rybbit analytics).

Last 30 days

  • ~1,700 unique visitors, 2,200 sessions, 6,700 pageviews
  • ~3 pages per session, ~2m 48s average session, 38% bounce
  • A sharp launch spike of ~530 users on a single day (May 4), then a healthy sustained tail rather than a flatline — people kept coming back.

Rybbit 30-day traffic with the May 4 launch spike
30 days: 1.7K users, 2.2K sessions, 6.7K pageviews — and the unmistakable launch spike on May 4.

Where they came from

  • Reddit was the spark: reddit.com (315) + com.reddit.frontpage (122) + old.reddit.com — the launch post was the engine. Then Android Gmail, Google, Facebook, even ChatGPT and a temp-mail service (people guarding their inbox).
  • The funnel is legible in the page hits: / (2K) → /register (1K) → /login (717) → /verify (344). Land, sign up, verify, come back.

Top referrers and most-visited pages
Referrers and pages: Reddit on top, and a clean land → register → login → verify funnel.

But the most telling cut is channels: Direct (1.7K) dwarfs Organic Social
(442). After the initial Reddit blast, most sessions are people typing the URL or
returning by bookmark — the strongest signal I have that it's becoming a habit,
not just a one-time curiosity click.

Acquisition channels — Direct dominates Organic Social
Direct (1.7K) > Organic Social (442): the Reddit spike kicked it off, but returning/direct traffic now carries it.

Who they were

  • Overwhelmingly mobile — Mobile Safari (863) + Mobile Chrome (400) led, which validated every minute spent on the responsive layout.
  • Overwhelmingly US (2.1K sessions), with a long international tail: Pakistan, UK, Canada, Puerto Rico, Sweden, Germany, Hungary, Honduras, Panama.

Browsers and countries breakdown
Mobile-first and US-heavy — exactly the audience a GoWild! pass tool should expect.

A representative day, well after the spike

  • 68 unique users, 77 sessions, 223 pageviews, 2.9 pages/session, 2m 36s sessions — steady daily usage long after the launch wave passed.

A single day's traffic, weeks after launch
A normal day weeks later: ~68 users still showing up, spread across the clock — not a dead post.

Accounts

  • 318 total users, 308 verified, 0 disabled, 53 new in the last 7 days, 25 push subscriptions — and still zero monetization.

Admin dashboard: user and verification counts
The admin panel: 318 users, 308 verified, 53 new in the last 7 days — all on a free, invite-managed signup flow.

Chapter 12 — Why it stays free

Let me restate the philosophy plainly, because it's the whole reason this exists:

The data isn't ours. It's Frontier's. Every tool in this space — including
mine — is a scraper sitting on top of an airline's public booking data. I'm not
pretending otherwise; I scrape too, the same way they do. That's precisely why
I won't charge for it. You don't get to wrap data you don't own, against the
source's terms, and then sell a $9.89/mo "Ultra" tier with nine mystery features
coming soon. If the value you're adding is presentation, then compete on
presentation — and let people use it for free.

So LetsGoWild has:

  • No paid tier. No trial. No credit card. No "Pro."
  • The features other tools gate behind $5–$10/mo — multi-airport search, the interactive map, the calendar, all the filters, alerts — are just… there.
  • A stated intent to open-source the code.

Put concretely against the market survey from Chapter 3: gowilder.net charges
$10/mo for an AI trip planner — LetsGoWild has one, free. the1491club gates
real-time availability and pricing behind "First Class" — that's the default
here. SearchGWP doesn't offer a free tier at all — and the entire LetsGoWild
product is the free tier, because there is no other tier to upsell you to.

A moderator told me, in so many words, that every free tool in this space
eventually monetizes — that costs rise and "monetization will be the only path
forward." Maybe that's been true historically. I intend to be the exception, and
I'm writing it down here precisely so it can be held against me if I'm ever
tempted to break it. The data isn't mine to sell; that doesn't change when the
server bill goes up.

The second reason is simpler: I genuinely believed I could present this data
better than what existed, and the launch reaction suggests I wasn't wrong.

Chapter 13 — What's next

  • Open-sourcing the codebase, as promised publicly.
  • A community space (Discord) — multiple people asked, and it's a good idea.
  • Continuing to widen the flexible-search patterns people actually want.
  • Keeping the lights on, keeping it fast, and keeping it free.

Timeline at a glance

When What
Late Apr 2026 Searching PHX→ATL for a summer family trip; fares ~$300+. Spotted Frontier's ~$200 GoWild! summer pass.
Late Apr 2026 Researched how GoWild! works; found gopassflights.com (and peers) via r/gowildfrontier.
Late Apr 2026 Hit the paywalls. Noticed the free-tier 3-search cap was client-side only; confirmed full backend access in DevTools.
Late Apr 2026 Built a private PoC, sent a full responsible-disclosure report to the founder. He replied gratefully, admitting it was an MVP trade-off.
Early May 2026 Having learned the data layer, built the first draft of LetsGoWild in ~2 days.
~May 3–4, 2026 Launched + posted to r/gowildfrontier. 500+ visitors in a day.
~May 3–4, 2026 gopassflights devs + throwaway accounts pushed back; community support far outweighed it.
Within 24h 100+ registrations exceeded email-verification limits → flipped to invite-only with a waitlist.
May 5, 2026 r/gowildfrontier mods removed the launch post for self-promotion; modmail appeal denied ("every free tool ends up monetizing").
May 23, 2026 Permanent ban from r/gowildfrontier — for a comment merely mentioning the free tool.
~May 24, 2026 ~1.7K unique visitors/30d, 318 users (308 verified), still 100% free. Tool kept growing on word of mouth despite the ban.

Top comments (0)