An exposed database scanner helps you find data stores, database-backed endpoints, weak access rules, and leaked connection details before launch. The practical answer is simple: scan the public app, review any exposed storage paths, fix access control, rotate leaked credentials, then rescan. For AI-built apps, this check matters because generated code often connects fast but protects data inconsistently.
What an exposed database scanner checks?
A useful scan does not only look for one open port. It reviews the public app the way an outside visitor or attacker can see it, then flags signals that data may be reachable without proper authorization.
The first pass should cover public storage paths, client-side credentials, database-backed APIs, and misconfigured rules. If your app uses Supabase, Firebase, MongoDB, Postgres, or a managed backend, the issue may appear in different places.
Common findings include:
- Public database URLs embedded in JavaScript bundles or config files
- Open read access on collections, buckets, or tables
- Missing row-level checks on tenant-specific data
- Leaked admin endpoints that return records without authentication
- Backup files online, such as .sql, .dump, .env, or exported JSON
- Overbroad API responses that expose internal fields or other users' records
This is close to an open database exposure review, but the launch goal is broader. You are not only asking whether a database port is reachable. You are asking whether the app exposes data through frontend code, weak backend routes, permissive rules, or forgotten files.
A good database exposure scanner should separate noise from risk. A public Firebase project ID is not always a secret. A browser-visible anon key may be normal in Supabase. The real test is whether that value can be used to read, write, enumerate, or modify data that should be private.
For SaaS and AI-generated products, the highest-risk cases usually involve tenant data exposure. One missing filter can let a signed-in user read another workspace. One permissive policy can let anonymous visitors list records. These are not theoretical bugs, they are common launch failures in apps built quickly from templates.
How exposure happens?
Database exposure often starts with a small shortcut. A prototype needs data quickly, so the app fetches directly from the client. Later, authentication is added, but the original rule, endpoint, or sample config stays public.
AI-assisted coding can amplify this pattern. Generated code may produce working CRUD endpoints, but it may not understand your tenant model, admin boundaries, or which fields are sensitive. The result is an app that feels complete while still allowing unauthorized data access.
Watch for these specific failure patterns:
- Client trust mistakes, where the browser sends user_id or workspace_id and the server accepts it
- Default allow rules, especially in early Firebase or test-mode setups
- Service role leakage, where privileged keys are bundled into frontend code
- Debug endpoints live, including routes that dump users, orders, prompts, logs, or sessions
- Database backups exposed, often from copied deployment artifacts or public static folders
For Firebase-backed apps, review rules with a dedicated Firebase security rules check. For Supabase, pair scanning with a Supabase RLS checker, because row-level security is where many real data leaks are either prevented or created.
A short manual spot check can catch obvious mistakes before automated scanning. Do this only against systems you own and avoid destructive requests.
APP_URL=https://app.example.com
curl -sI ${APP_URL}/.env
curl -sI ${APP_URL}/backup.sql
curl -sI ${APP_URL}/dump.json
curl -s ${APP_URL}/_next/static/chunks/app.js | grep -Ei 'mongodb|postgres|supabase|firebase|service_role'
curl -s ${APP_URL}/api/users | head
curl -s ${APP_URL}/api/admin | headThese commands are not a replacement for a real database exposure check. They show the mindset: inspect public files, inspect bundles, test obvious endpoints, and look for privileged strings. A scanner should automate this more safely, follow redirects, fingerprint common frameworks, and avoid actions that could change data.
The most dangerous result is not always an open database server. It is often a normal-looking API route that returns too much. For example, a profile endpoint might return email, billing status, internal notes, auth provider IDs, and tenant IDs. If the route lacks ownership checks, every user may be able to enumerate other accounts.
Fix workflow before launch
Treat every finding as a path from public access to sensitive data. The fix should remove that path, not only hide the symptom. Renaming a route or moving a file is not enough if the authorization model still trusts the client.
Use this launch workflow:
- Confirm the data path. Identify whether exposure comes from a file, frontend bundle, API route, storage rule, database rule, or network service.
- Classify the impact. Decide whether the finding allows read access, write access, enumeration, credential theft, or privilege escalation.
- Remove public artifacts. Delete exposed backups, .env files, debug JSON, and generated exports from deploy output.
- Move secrets server-side. Keep database credentials, service roles, and private tokens out of browser code.
- Enforce authorization centrally. Validate identity and ownership on the server or through database policies.
- Rotate exposed credentials. If a private key or password was public, assume it was copied.
- Rescan from outside. Verify the deployed production URL, not only local code or staging.
The critical rule is never trust browser input for ownership. If the client sends workspace_id, account_id, user_id, or role, the server must verify it against the authenticated session. Do not let generated code turn these fields into authorization.
For Supabase, confirm that RLS is enabled on private tables and policies restrict rows by authenticated user or tenant membership. For Firebase, confirm that rules deny by default and allow only the minimum required reads or writes. For custom APIs, add tests that attempt cross-user access with two separate accounts.
Also scan what your deployment exposes. Static hosts and serverless builds sometimes publish files you did not expect. Build output, source maps, old exports, or copied test fixtures can reveal schema names, internal URLs, tokens, and sample customer records. A public website scan should include both HTML and linked JavaScript assets.
AISHIPSAFE's security scan is designed for this prelaunch moment: one public URL, external checks, and findings focused on what can actually be reached. If you need broader crawling and deeper coverage across routes and assets, use a deep scan before inviting users.
After fixes, do one final review with fresh credentials and a clean browser session. Test anonymous access, normal user access, and cross-tenant access. The goal is not perfect security in one pass. The goal is to remove obvious public exposure before real traffic, indexing, integrations, and attackers arrive.
A safe launch is not just a working login page. It is a deployed app where private data stays private from the outside. Scan first, fix the highest-impact paths, rotate anything leaked, and verify again before sharing the product widely.
Faq
What counts as an exposed database?
An exposed database is any data store or database-backed path that allows unintended public access. That can mean an open network service, a permissive Firebase rule, missing Supabase RLS, a leaked connection string, or an API endpoint that returns private records without proper authorization.
Should i scan staging or production?
Scan both if possible, but always scan the deployed production URL before launch. Staging often differs from production in environment variables, build output, redirects, headers, and access rules. Many exposures appear only after deployment because files, bundles, or routes are published differently.
Is a browser-visible API key always a leak?
Not always. Some public keys are designed for browser use, such as certain anon or publishable keys. The risk depends on permissions. If the key can read private data, write records, bypass policies, or access admin functions, treat it as exposed and rotate it.
Before launch, run AISHIPSAFE against your public URL and review any database exposure, secret leakage, and unsafe endpoint findings while fixes are still cheap.