What 'leaking a secret' actually means
Your website's front-end code is public. Every script your site loads can be read by anyone who opens their browser's developer tools. There is no hiding code in the browser, only making it harder to read.
A secret is anything that is supposed to prove it is you: an API key, a token, a password, a signing secret. If one of these ends up in your front-end code, it is not protected, it is published. Bots scan the web for these around the clock.
The three most common leaks in AI-built apps
- •A secret key hardcoded directly into a component to make a demo work.
- •A secret placed in a NEXT_PUBLIC_ variable, which Next.js bundles into the browser on purpose.
- •Source maps shipped to production, which can expose your original code and any secrets inside it.
How to check by hand
Open your live site, then open your browser's developer tools and go to the Sources or Debugger tab. Look through your JavaScript files and search for tell-tale prefixes.
- •Search for sk_ (Stripe and OpenAI secret keys).
- •Search for AKIA (AWS access keys).
- •Search for service_role (Supabase admin key, should never be here).
- •Search for the word 'key', 'secret', 'token', or 'password' and see what comes up.
How to check automatically
Doing this by hand is slow and easy to get wrong, especially with minified code. A scanner reads every script your site serves and matches known key patterns plus high-entropy strings in seconds.
Our exposed API key scanner does exactly this and tells you which file the key came from and how to fix it.
What to do if you find one
- •Rotate the key immediately in the provider's dashboard. Assume it is already compromised.
- •Move the key to a server-side environment variable so it never reaches the browser.
- •Call the provider's API from your server, not the client, and have your front-end talk to your server.
- •Re-scan to confirm the key is gone from your public code.