Most backend data leaks aren't clever hacks. They're a database, CMS or API left readable by the anonymous / public role — a default someone forgot to lock down before going to production.
So I built a family of open-source auditors (MIT, zero dependencies) that check for exactly that, and confirm each leak with a read-only anonymous probe — the same request any visitor's browser makes. Nothing is downloaded, nothing is changed. You get the bytes that are actually exposed, not a guess from a config file.
One command each:
npx strapi-security --url https://your-strapi.example.com
npx directus-security --url https://your-directus.example.com
npx hasura-security --url https://your-hasura.example.com
npx convex-security --url https://your-app.convex.cloud
npx ollama-security --url http://your-host:11434
npx payload-security --url https://your-payload.example.com
npx n8n-security --url https://your-n8n.example.com
Plus auditors for Supabase, Firebase, PocketBase, Appwrite and Nhost, and tools for served secret files (.env, .git, source maps) and Claude Code .claude/ config footguns.
Full collection, all MIT:
https://github.com/Perufitlife/awesome-backend-security
Want me to run one for you — free?
If you'd rather not install anything, drop your backend URL and I'll run the matching auditor and post the findings + the exact fixes back to you, free. Read-only, nothing downloaded.
Request a free audit: https://github.com/Perufitlife/awesome-backend-security/issues/new?template=free-audit.yml
If it turns up something and you'd like the fixes done for you, there's a fixed-scope $99 option — but the tools and the audit are free, and that's the point: most of these holes take five minutes to close once you know they're there.
Top comments (0)