Environment
Validate required keys, health endpoints, DNS, TLS, security headers, and secret exposure.
Integration
Environment
Required keys, health endpoints, DNS, TLS, and security headers.
The Environment check is not tied to a single vendor. It validates the public surface of your app at the URL saved on the project: DNS, TLS, security headers, legal pages, and accidental secret exposure. These are the failures that take down a launch even when every provider credential is valid.
Requirements
- Project with the production or staging URL saved in Project Settings
- App deployed and publicly reachable at that URL
- Optional dedicated health endpoint that returns a fast, unauthenticated 200
One saved URL
The Environment and readiness scanners only use the URL saved on the project. They do not accept arbitrary URLs, so they cannot be pointed at sites you do not control.
What PreFlight checks
| Probe | What it proves |
|---|---|
| URL reachability | The saved project URL responds, follows redirects sanely, and is not stuck on a holding page. |
| DNS resolution | DNS resolves to the expected targets for the configured domain. |
| TLS validity | The certificate is valid, trusted, and not expiring soon. |
| Security headers | Baseline headers (HSTS, content-type options, frame options) are present. |
| Legal pages | /privacy and /terms exist—required for Stripe approval and basic trust. |
| Secret leak scan | Same-origin HTML, JS bundles, and source maps are sampled for exposed backend keys (for example sk_live_ or a service role key). |
| Performance signal | Coarse response time and payload size so an obviously slow launch surface is visible. |
Failure guidance
| Symptom | Fix |
|---|---|
| No project URL saved | Open Project Settings, add the production or staging URL, then rerun. |
| DNS failure | Confirm nameservers and A/CNAME records point to your hosting provider. |
| TLS error | Renew or install a valid certificate; use Full (strict) SSL at your CDN. |
| Secret leak detected | Move the key to server-only env vars and rotate it in the provider dashboard immediately. |
| Security header missing | Add the header at your framework or CDN layer—most are one-line config changes. |
| Legal page missing | Publish /privacy and /terms; adapt counsel-ready drafts under Legal in PreFlight docs. |
Rotate, do not just hide
If a secret was ever served to the browser, assume it is compromised. Removing it from the bundle is not enough—rotate it at the source.
Dashboard setup
- Open Project Settings and save your production or staging URL.
- Deploy the app so the URL is publicly reachable (not localhost).
- Publish
/privacyand/termsand confirm security headers at your CDN or framework. - Run Pre-Flight Check and treat any secret-leak or TLS failure as launch-blocking.
