Tripline · External Security Scan
tripline.io
01 / scan report

What attackers can see
on Instantly

A passive, external scan of your public attack surface — every finding ranked by severity, each with the exact steps to close it.

Targetinstantly.ai
Scanned2026-06-11 10:00 UTC
Checks run7 categories
Assets scanned2
Total findings8
Report byTripline · tripline.io
25/100
High exposure
Grade D
5
HIGH
3
MEDIUM
0
LOW
0
INFO
02 / scope — 2 hosts scanned
C
instantly.ai
3 findings · 1 high
D
app.instantly.ai
5 findings · 4 high
03 / analyst summary AI review (mock)

This scan surfaced 8 external findings (5 high, 3 medium, 0 low). The most urgent is “Exposed .env file with a live Stripe key”. Fix the high-severity items first; they are the exposures an attacker can act on immediately.

Fix first
  1. Exposed .env file with a live Stripe key
  2. TLS certificate expires in 9 days
  3. API allows any origin with credentials
04 / findings & remediation
01
HIGH Exposed Secrets & Files instantly.ai high confidence

Exposed .env file with a live Stripe key

A .env environment file is publicly downloadable.

Live secret pattern matched in a public file — high confidence.
Why it mattersThese files routinely contain live database passwords, API keys, and secret tokens. Anyone who downloads it can take over connected services.
path/.env
leakedredacted
How to fix itcatalog
  1. Remove the file from the web root immediately.
  2. Treat every secret it contained as compromised and rotate all of them now.
  3. Block dotfiles at the server: deny access to any path starting with a dot.
  4. Ensure .env is in .gitignore and never deployed to the public directory.
02
HIGH SSL / TLS app.instantly.ai high confidence

TLS certificate expires in 9 days

The TLS certificate expires soon.

Why it mattersIf it lapses, visitors hit a browser security warning and trust drops.
days9
How to fix itcatalog
  1. Renew now and enable automatic renewal so it can't lapse.
03
HIGH Security Headers app.instantly.ai high confidence

API allows any origin with credentials

CORS allows any origin (Access-Control-Allow-Origin: *) together with credentials.

Why it mattersAny website can make authenticated requests to your API as your logged-in users and read the response — a direct path to account takeover.
endpoint/api
How to fix itcatalog
  1. Never combine `Access-Control-Allow-Origin: *` with `Allow-Credentials: true`.
  2. Echo back only an explicit allow-list of trusted origins.
  3. If the endpoint is public and unauthenticated, drop credentials entirely.
04
HIGH Backend & API app.instantly.ai high confidence

Management endpoint exposed at /actuator/env

Spring Boot Actuator (or similar ops endpoints) are publicly reachable.

Why it mattersEndpoints like /actuator/env, /heapdump, or /actuator/configprops leak environment variables, secrets, and internal config — a direct path to compromise.
path/actuator/env
How to fix itcatalog
  1. Expose only /actuator/health and /actuator/info publicly; restrict the rest.
  2. Put management endpoints on a separate, internal-only port (management.server.port).
  3. Require authentication on all actuator endpoints; never expose env/heapdump publicly.
05
HIGH Backend & API app.instantly.ai high confidence

Backend returns a verbose error / debug page

A backend endpoint returned a verbose error / stack trace / debug page.

Why it mattersDebug output leaks framework versions, file paths, SQL, and sometimes secrets — a roadmap for attacking your backend.
signalTraceback
How to fix itcatalog
  1. Turn off debug mode in production (e.g. Django DEBUG=False, Flask debug off, Rails prod env).
  2. Return generic error pages; log details server-side only.
06
MEDIUM Security Headers instantly.ai high confidence

No Content-Security-Policy (XSS exposure)

No Content-Security-Policy (CSP) header is set.

Why it mattersCSP is the main defense against cross-site scripting (XSS). Without it, an injected script can steal sessions, deface pages, or skim card data.
url/
How to fix itcatalog
  1. Start in report-only mode: Content-Security-Policy-Report-Only: default-src 'self'
  2. Watch the violation reports, then tighten to a real policy and remove 'Report-Only'.
  3. Avoid `unsafe-inline` for scripts; use nonces or hashes for the few inline scripts you need.
  4. Frameworks: Next.js supports CSP via middleware; Rails via secure_headers gem.
07
MEDIUM Email & Domain instantly.ai high confidence

No DMARC record

No DMARC policy is published.

Why it mattersDMARC tells receiving servers what to do with mail that fails SPF/DKIM. Without it, spoofed email targeting your customers often lands in their inbox.
domaininstantly.ai
How to fix itcatalog
  1. Add a DNS TXT record at _dmarc.yourdomain: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain
  2. Start with p=none to monitor, then move to p=quarantine and finally p=reject.
08
MEDIUM Backend & API app.instantly.ai high confidence

API documentation exposed at /openapi.json

Interactive API documentation (Swagger/OpenAPI/Redoc) is publicly accessible.

Why it mattersPublic API docs hand an attacker a complete map of your backend — every endpoint, parameter, and auth scheme — making it far easier to find and abuse a weak spot.
path/openapi.json
How to fix itcatalog
  1. Restrict Swagger/OpenAPI UI and the spec file to internal networks or authenticated staff.
  2. Disable API docs in production builds, or put them behind SSO / an IP allow-list.
  3. Never expose the raw openapi.json / swagger.json publicly.
Scope & method. This is a passive, external, unauthenticated scan: it inspects only what any visitor can already see — response headers, TLS configuration, public DNS records, and publicly reachable files. It does not log in, run exploits, or attack the target. Findings reflect the state at scan time and are not a guarantee of complete security. Discovered secret values are redacted and never stored in plaintext.