← Learn

How do scanners safely test your database rules?

Testing whether a database is publicly readable sounds invasive. Done right, it reads a row count and nothing else — and only after you prove you own the app.

The most valuable check for an AI-built app is also the most sensitive: is your database actually locked down? Doing that responsibly comes down to two principles — prove ownership first, and read as little as possible.

Why ownership has to be proven

Actively probing a database you don’t own isn’t okay, and a checkbox ("I own this") is spoofable. The honest way is to make you place a small token file at /.well-known/shipshape-verify.txt on your own domain — the same model Google Search Console and SSL certificates use. Only then does the active check run.

Why "count only" matters

To prove a table is exposed, a scanner does not need to download your users’ data — it only needs to know the table is readable. So the right technique is a HEAD request asking for a count (Prefer: count=exact): the database returns "this many rows" without sending a single row. You learn "table users is readable and has 1,240 rows" while zero rows cross the wire.

What a good result looks like

Honest output names the table and the count as proof, and states plainly that no data was pulled. It never dumps, displays, or stores your records — and the public-facing version redacts even the table names.

That’s exactly how Shipshape’s database check works. → Verify and test your app

FAQ

Is it safe to let a scanner test my database?
It is when done correctly: it should require you to prove ownership (a token file at /.well-known), then read only a row count via a HEAD request — proving a table is readable without pulling any row data.

Does the database check download my users data?
A responsible one does not. It asks for a count only, so it can report "table X is readable, N rows" while transferring zero rows. Shipshape never dumps, shows, or stores your data.

Why do I have to place a verification file?
Because actively testing a database you do not own is not acceptable, and a checkbox is spoofable. A token file on your own domain proves you control it — the same way Google Search Console verifies sites.

Related questions

• Shipshape vs Vibe App Scanner: scanner results vs launch proof
• Stripe webhook returned 200, but paid access still failed
• Supabase RLS Launch Proof checklist
• Gemini/API key wallet-drain checklist for AI apps