Frontguard CLI is designed to match the extension's core analysis categories where a CLI can reasonably observe the same evidence.
- OpenAI keys
- Anthropic keys
- Stripe secret keys
- GitHub tokens
- AWS access key IDs
- Private key blocks
- Database URLs
- Slack tokens
- SendGrid keys
- Telegram bot tokens
- Google API keys
- Supabase service role style JWTs
- Supabase public config and anon tokens
- Firebase public config
- Stripe publishable keys
- Auth0/Cognito/Appwrite/Sanity/Contentful style public config
Expected public config is usually reported as info, not as a vulnerability.
VITE_*NEXT_PUBLIC_*NUXT_PUBLIC_*PUBLIC_*REACT_APP_*GATSBY_*EXPO_PUBLIC_*
Suspicious names such as SECRET, PRIVATE, SERVICE_ROLE, ADMIN, DATABASE, or TOKEN are elevated for review.
- Source map files
sourceMappingURLreferences
Available in HAR and deep-scan modes:
- Query string token/secret signals
- Client-supplied review fields such as
role,price,user_id,owner_id,tenant_id, andplan - Commerce/authority review fields such as
total,subtotal,discount,coupon,shipping_method,payment_method,variant_id,cart_id,order_id,customer_id,subscription, andrefund
These field findings are informational review notes by default. Frontguard can see that the browser sent the field, but it cannot know whether the backend is already validating, ignoring, or recalculating it correctly.
- GraphQL endpoints
- GraphQL introspection
- Sensitive JSON response fields with path evidence
- Secret patterns inside request/response bodies
- WordPress detection from generator tags,
/wp-content/,/wp-includes/,/wp-json/, REST links,wpApiSettings,admin-ajax.php, and login/admin paths - WordPress plugin and theme slug inventory from loaded asset paths
- WordPress version hints and WooCommerce storefront/cart/checkout/API signals
- Shopify, Webflow, Drupal, Joomla, Squarespace, Wix, Framer, Bubble, Ghost, Magento / Adobe Commerce, PrestaShop, and OpenCart passive platform signals
- Replit and AI/dev-hosting style signals, including preview domains and observed debug/dev/config-style routes
- Broad third-party script surface and internal-tool UI language
Platform findings are context for review. They do not claim the platform or site is vulnerable by themselves.
- Missing CSP
- Weak CSP
- Missing HSTS
- Missing
X-Content-Type-Options - Permissive CORS
Available in deep-scan mode:
localStoragesessionStorage- IndexedDB database names
- Cache Storage keys
- Session/token-like keys
- Product-specific low-risk treatment for
pubflow_session_id
The extension is better for:
- Browser popup UX
- DevTools panel workflow
- Authenticated session comparison
- Post-logout browser storage review
- Live page storage from the exact active tab
The CLI is better for:
- Repeatable scans
- CI
- Build artifacts
- HAR import
- Localhost and URL checks
- Interactive browser capture from the terminal
- Copy-friendly reports in automation
No client-side scanner can prove an app is secure.
Frontguard does not:
- Read backend source from a deployed app
- Prove all authorization rules are correct
- Brute force IDs
- Fuzz endpoints
- Replay mutating requests
- Verify Supabase RLS policies automatically without a consented behavioral test
Findings are defensive review signals. Validate them in context.