FixVibe

// 探索 / 聚焦

Netlify-Specific Exposure

Netlify deploy preview URLs, x-nf-* headers, _redirects mistakes.

概要

Netlify follows the same pattern as every PaaS: distinctive headers, characteristic file paths, and a per-deploy preview URL system that's a wonderful CI feature and an occasional security liability. The bugs are mostly the same as Vercel's, with Netlify-specific shapes — `x-nf-request-id` instead of `x-vercel-id`, `*.netlify.app` preview hosts instead of `*.vercel.app`, `_redirects` and `_headers` files that occasionally ship to production with rules they shouldn't.

運作方式

Netlify adds `x-nf-request-id` and (for some plan tiers) `server: Netlify` to every response. The `_redirects` file at the build root configures URL rewrites and proxy rules; if it includes wildcards or admin-route rules, those rules apply to public traffic. The `_headers` file similarly controls response headers. Preview deployments live at `deploy-preview-N--sitename.netlify.app` per pull request — discoverable via search-engine indexing or wayback archives if anything internal-only ever links to them.

影響范圍

Mostly recon — confirms Netlify as the host, hints at the build pipeline. Direct impact when preview URLs leak (preview deployments often have less strict access controls), or when `_redirects` rules include unintended proxy patterns that expose backend services through the Netlify edge.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Don't expose preview deploy URLs from production code or shared documents. Audit your `_redirects` file for unintended wildcards or proxy rules — `/* /admin/:splat 200` is the kind of rule that looks innocuous until you realize it forwards every path to admin. Use Netlify's site password protection for non-production environments. Set a strict `robots.txt` on preview deploys (Netlify supports per-context robots configuration). For high-stakes deployments, pin every preview to a private team-only password-gated context.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

探索
142
本類别中触發的测試
模塊
23
專属 探索 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Netlify-Specific Exposure — 漏洞聚焦 | FixVibe · FixVibe