Database Admin Ports Open on Production: The 10-Port Checklist

Every database admin UI ships with great docs for local use and none for production. Vibe-coded apps regularly leave them exposed on prod subdomains.

The checklist

Run curl -sI https://your-app.com:<PORT>/ | head -3 for each port:

| Port | Tool | Fingerprint | |------|------|-------------| | 5555 | Prisma Studio | x-powered-by: prisma-studio | | 4983 | Drizzle Kit Studio | x-drizzle-studio | | 5050 | pgAdmin | HTML title "pgAdmin 4" | | 8080 | Adminer / Hasura | server: Adminer or GraphQL endpoint | | 3001 | Keystone | x-keystone-admin-meta | | 1337 | Strapi | x-powered-by: Strapi | | 8055 | Directus | x-directus-version | | 8090 | PocketBase | HTML title "PocketBase" | | 27017 | Mongo Express | HTML title "Mongo Express" | | 4000 | Hasura Console | GraphQL endpoint /v1/graphql |

Any 200 response = immediate rotation + port block.

Fix

• Add a load-balancer rule: drop all inbound traffic to anything except 80/443.
• Use internal subdomains (admin.internal.app.com) with IP allowlists.
• SSH tunnel for dev access.

VibeWShield's database_infra scanner runs this exact checklist, plus default-credential tests if ports respond. Takes 40 seconds in Deep mode.