Ngā momo matawai

Passive

Available on every tier. A passive scan never sends crafted attack input; it fetches the URL like a normal browser and checks shipped responses, client assets, BaaS exposure, DNS, and public security posture against 250+ vulnerability classes.

Nā te mea he read-only, ka taea te passive ki tētahi URL ahakoa he aha — kāore he domain verification, kāore he attestation. Ko te utu ko te hōhonutanga: ka ngaro i te passive ngā mea katoa e hiahia ana ki te tuku input kia kitea ai.

Ngā mea ka mau i te passive

• Ngā security headers ngaro (HSTS, CSP, frame-options, etc.).
• Ngā āhuatanga cookie haumaru-kore (kāore he Secure / HttpOnly / SameSite).
• Whirihoranga TLS ngoikore, cert kua pau, HSTS preload ngaro.
• Secrets i ngā JS bundles (Supabase service keys, AWS keys, Stripe sk_, etc.).
• Source maps kua kitea, debug endpoints, OpenAPI specs, GraphQL introspection.
• Supabase RLS / Firebase rules / Clerk misconfiguration kua tuwhera.
• DNS (subdomain takeover, SPF/DKIM/DMARC ngaro).
• Threat-intel listings (Spamhaus, URLhaus).
• Ngā framework versions tawhito me ngā CVE e mōhiotia ana.

Active Hobby+

Active scans perform bounded verification against verified domains you have explicitly authorized. They are available on the Hobby plan and higher tiers (Pro, Unlimited) and are designed to confirm risky behavior without publishing the underlying probe recipes.

He aha mātou e here ai: te attestation flow

Ka pā pea ngā active probes ki production — ngā whakautu pōturi, ngā pikinga hapa, ngā raraunga para ki ngā test stores. Ka tono mātou kia:

1. Whakamanahia te domain mā DNS TXT, mā HTTP file rānei (Account → Domains).
2. Whakaū i te mana — he whakaū kotahi i te wā tīmata-scan e mea ana he whakaaetanga tōu. Ka waitohungia e te server tō IP, user-agent, me timestamp; ka tuhia ki audit_logs.

For scheduled re-scans and API/MCP active starts, domain authorization is recorded from Dashboard → Domains and can be revoked at any time. Automated active scans use the authorized safety level for that domain.

GitHub repository Pro+

Repo scans skip deployed URL testing and review source through the FixVibe GitHub App or your OAuth connection. They report high-confidence code, dependency, and repository-security risks without storing your source code.

Kāore rawa ngā repo scans e tuhi ki tō repo, kāore hoki e rokiroki source code — ko finding evidence anake ka penapena. Quota: te bucket scansPerMonth kotahi ki ngā URL scans.

Whakakā mā te API

curl -X POST https://fixvibe.app/api/v1/scans \
  -H "Authorization: Bearer fxv_..." \
  -H "content-type: application/json" \
  -d '{"target":"https://staging.example.com"}'

REST API and MCP can start passive scans, and can start active scans for verified domains that have been explicitly authorized in Dashboard → Domains. Full reference: /docs/api.

Ngā matawai one-shot ingoakore

Ka tuku te home page i ngā manuhiri kāore anō kia haina kia whakahaere i tētahi passive scan kotahi mō ia browser session. Ka pau ēnei scans 24 hāora i muri i te waihangatanga, ā, ka taea te neke ki tētahi pūkete tūturu mā te waitohu mai i mua i te paunga — ka hono aunoa te auth callback i te anonymous scan ki te org hou.