← All topics

The secrets hiding in your JavaScript

API keys, tokens, and credentials that shipped to the browser by accident.

Is your Stripe secret key in your JavaScript bundle right now?

A live Stripe secret key in your frontend lets anyone refund your revenue to themselves. How it gets there, how to check in two minutes, and how to fix it.

Why is there an AWS key in your build, and who can use it?

An AKIA key in your JavaScript is one S3 call from your whole bucket. How it leaks, what a stranger does with it, and how to check from outside.

Did you leak a Supabase service_role key? (It bypasses every security rule you wrote)

The Supabase service_role key skips row-level security entirely. If it shipped to the browser, your RLS policies protect nothing. How to check and fix.

GitHub, Slack, OpenAI: which tokens end up in frontend code, and what they unlock

A leaked ghp_ token is read access to your private repos. The prefixes that end up in bundles, what each one unlocks, and how to find them.

What are source maps, and are you handing strangers your original code?

Minified means nothing if the source map ships next to it. What source maps expose in production, how to check, and how to stop serving them.

Why your "public" key is fine but your secret key is a fire

Not every key in your bundle is a problem. The ones that are, are catastrophic. How to tell which is which, and the one rule that sorts them.

An OpenAI or Anthropic key in your frontend is someone else's free compute

An sk-proj- or sk-ant- key in your JavaScript is a metered bill anyone can run up. How AI keys end up client-side, what a stranger does with one, and how to check.

GitLab, DigitalOcean, GCP: the infrastructure tokens that leak into bundles

A glpat-, dop_v1_, or service-account key in your JavaScript is keys to your infrastructure, not just one API. The prefixes that leak and what each one controls.

SendGrid, Twilio, Shopify: the SaaS keys that leak and send mail as you

An SG. SendGrid key or a Twilio SID in your JavaScript lets a stranger send email and SMS on your account and bill. The SaaS prefixes that leak and what each does.

A database connection string in your frontend is a direct line to your data

A Server=...;Password=... connection string or a PlanetScale token in your JavaScript is the database itself, not just an API. How they leak, what a stranger does with one, and how to check.

Did you leave an API key in an HTML comment?

Comments are invisible in the browser but plain text in the source. A key left in an <!-- ... --> ships to every visitor. How it happens, what a stranger does with one, and how to check.

Is there a secret in your __NEXT_DATA__? (Your SSR props ship to the browser)

Server-rendered apps serialise their state into the page so the browser can hydrate. Anything in that blob is public: __NEXT_DATA__, __PRELOADED_STATE__, Apollo, Nuxt. How a server-only key gets in there, and how to check.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.