June 2026Public
Passive surface read

datafa.st

A

We read datafa.st the way any visitor can: response headers, public scripts, DNS and TLS. Nothing sensitive was in the open. This one reads well.

0
things exposed
9
passive checks
Jun 2026
read on

What we read from the outside

Only what any visitor can load. No login, no probing, no payloads.

  • Response headers (HSTS, CSP, frame and content-type policies)
  • Public JavaScript bundles for hardcoded keys or secret endpoints
  • Common config paths (.env, .git, backups, source maps)
  • DNS records and email auth (SPF, DMARC)
  • TLS version and certificate
  • Open directory listings and verbose error pages

What we found

Nothing sensitive was reachable from the outside. Headers were strict, config paths were locked down, and the public scripts held no secrets.

How we graded this

The grade is a read of what is exposed to anyone, not a full audit. A means nothing sensitive was in the open. F means something sensitive was reachable with no login. We never test beyond what a browser loads on its own, and we disclose privately before anything goes public.

What to take away

  • Headers and transport were in good shape.
  • No secrets sat in the public JavaScript.
  • We only loaded what any browser loads.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.