Skip to content

Latest commit

 

History

History
125 lines (91 loc) · 3.6 KB

File metadata and controls

125 lines (91 loc) · 3.6 KB

Detection Coverage

Frontguard CLI is designed to match the extension's core analysis categories where a CLI can reasonably observe the same evidence.

Supported

Secrets

  • OpenAI keys
  • Anthropic keys
  • Stripe secret keys
  • GitHub tokens
  • AWS access key IDs
  • Private key blocks
  • Database URLs
  • Slack tokens
  • SendGrid keys
  • Telegram bot tokens
  • Google API keys
  • Supabase service role style JWTs

Public Config

  • Supabase public config and anon tokens
  • Firebase public config
  • Stripe publishable keys
  • Auth0/Cognito/Appwrite/Sanity/Contentful style public config

Expected public config is usually reported as info, not as a vulnerability.

Frontend Env Variables

  • VITE_*
  • NEXT_PUBLIC_*
  • NUXT_PUBLIC_*
  • PUBLIC_*
  • REACT_APP_*
  • GATSBY_*
  • EXPO_PUBLIC_*

Suspicious names such as SECRET, PRIVATE, SERVICE_ROLE, ADMIN, DATABASE, or TOKEN are elevated for review.

Source Disclosure

  • Source map files
  • sourceMappingURL references

Network

Available in HAR and deep-scan modes:

  • Query string token/secret signals
  • Client-supplied review fields such as role, price, user_id, owner_id, tenant_id, and plan
  • Commerce/authority review fields such as total, subtotal, discount, coupon, shipping_method, payment_method, variant_id, cart_id, order_id, customer_id, subscription, and refund

These field findings are informational review notes by default. Frontguard can see that the browser sent the field, but it cannot know whether the backend is already validating, ignoring, or recalculating it correctly.

  • GraphQL endpoints
  • GraphQL introspection
  • Sensitive JSON response fields with path evidence
  • Secret patterns inside request/response bodies

Platform, CMS, Commerce, And No-Code

  • WordPress detection from generator tags, /wp-content/, /wp-includes/, /wp-json/, REST links, wpApiSettings, admin-ajax.php, and login/admin paths
  • WordPress plugin and theme slug inventory from loaded asset paths
  • WordPress version hints and WooCommerce storefront/cart/checkout/API signals
  • Shopify, Webflow, Drupal, Joomla, Squarespace, Wix, Framer, Bubble, Ghost, Magento / Adobe Commerce, PrestaShop, and OpenCart passive platform signals
  • Replit and AI/dev-hosting style signals, including preview domains and observed debug/dev/config-style routes
  • Broad third-party script surface and internal-tool UI language

Platform findings are context for review. They do not claim the platform or site is vulnerable by themselves.

Headers

  • Missing CSP
  • Weak CSP
  • Missing HSTS
  • Missing X-Content-Type-Options
  • Permissive CORS

Browser Storage

Available in deep-scan mode:

  • localStorage
  • sessionStorage
  • IndexedDB database names
  • Cache Storage keys
  • Session/token-like keys
  • Product-specific low-risk treatment for pubflow_session_id

Extension vs CLI

The extension is better for:

  • Browser popup UX
  • DevTools panel workflow
  • Authenticated session comparison
  • Post-logout browser storage review
  • Live page storage from the exact active tab

The CLI is better for:

  • Repeatable scans
  • CI
  • Build artifacts
  • HAR import
  • Localhost and URL checks
  • Interactive browser capture from the terminal
  • Copy-friendly reports in automation

Important Limitations

No client-side scanner can prove an app is secure.

Frontguard does not:

  • Read backend source from a deployed app
  • Prove all authorization rules are correct
  • Brute force IDs
  • Fuzz endpoints
  • Replay mutating requests
  • Verify Supabase RLS policies automatically without a consented behavioral test

Findings are defensive review signals. Validate them in context.