The admin panel you left unlocked
phpMyAdmin, Grafana, debug toolbars, and error pages open to the world.
Is your phpMyAdmin sitting on the open internet?
A public phpMyAdmin or Adminer login is a door to your whole database. How attackers find it, what they do next, and how to take it off the internet.
Did your Grafana, Kibana, or Jenkins end up public?
Public Grafana, Kibana, or Jenkins panels map your infrastructure for anyone who finds them. What they leak, and how to take them off the open internet.
Why a public Strapi or Directus admin is a data leak waiting to happen
An exposed Strapi or Directus admin is the front door to all your content and users. How it gets found, what it leaks, and how to lock the panel down.
Is your framework's debug toolbar visible to the world?
An exposed Symfony profiler or Django debug toolbar dumps your config, queries, and env to strangers. How it leaks, and the one line that turns it off.
Stack traces in production: what your error pages give away
A debug error page in production prints your source, env, and secrets to anyone who triggers it. How Werkzeug, Whoops, and DEBUG=True leak, and the fix.
Your Kubernetes dashboard, Portainer, or MinIO console is on the public internet
A public Kubernetes Dashboard, Portainer, or MinIO console is control of your whole cluster or object store, one click away. The infra panels that leak, and how to check.
Is your Swagger UI handing strangers a map of every API endpoint you have?
A public Swagger UI or /v3/api-docs documents your entire API for anyone, including the internal routes. What it exposes, why it's left on, and how to check.
Is your Tomcat Manager open to the internet? (It's one upload from a shell)
The Apache Tomcat Manager deploys web apps over HTTP. Reachable from outside, it's a direct route to remote code execution via WAR upload. How it leaks, and how to lock it.
Storybook, Backstage, GraphQL Playground: the developer tools you left on the public internet
The tools that make building easier, your component library, your internal portal, your API explorer, are built for the team, not the world. When they ship to production, they hand a stranger a guided tour. How they leak, and how to gate them.
Ghost, Craft, Umbraco, Statamic: is your CMS admin sitting at the URL everyone guesses?
Every CMS puts its admin at a predictable path, /ghost, /admin, /umbraco, /cp. Reachable from the public internet, it's the front door to all your content and users. Which CMS lives where, and how to gate the panel.
PocketBase, Supabase Studio, Appwrite: your database admin is one login from the whole dataset
The self-hosted backend that runs your app ships with a web admin that reads and writes every row. Reachable from the public internet, it's the entire database behind one password. Where each one lives, and how to lock it.
Coolify, Dokploy, Rancher: the deploy controller is the keys to every app you run
A self-hosted PaaS or Kubernetes controller doesn't manage one app, it manages all of them, plus the env vars, the secrets, and a shell. Public on the internet, it's the most dangerous panel you can leave open. How they leak, and how to wall them off.
ToolJet, Uptime Kuma, Outline: the internal dashboards that quietly face the internet
An internal-tool builder wired to your databases, a monitor that lists your infrastructure, a wiki full of runbooks and credentials. Built for the team, reachable by everyone. The low-profile dashboards worth checking, and how to gate them.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.