Leaked API Keys in Your JavaScript Bundles
The frontend hides nothing
Anything shipped in your client‑side JavaScript is fully readable by anyone. Minification is not protection — a determined attacker (or an automated scanner) can search your bundles for patterns that look like secrets. If a real API key is in there, it's compromised.
How keys end up in bundles
- A backend key gets imported into frontend code "just to get it working."
- An environment variable meant for the server is exposed to the client by a build tool (for example, using the wrong prefix in a framework that inlines certain vars).
- A third‑party SDK is initialized with a secret key instead of a publishable one.
What an attacker does with it
Depending on the key, they can rack up usage charges on your account, read or write data through the associated service, send email or SMS as you, or pivot into connected systems. Some keys are low‑risk by design (publishable keys), but many are not — and telling them apart is exactly where teams slip.
How to check and fix it
- Search your built JavaScript for key‑shaped strings and known provider prefixes.
- Move any privileged key to the server and call the service from your backend.
- Use publishable/restricted keys on the client where the provider offers them.
- Rotate any secret that ever shipped to the browser.
Let Safeey scan your bundles
Safeey fetches your JavaScript assets and checks them against dozens of secret patterns, masking anything it finds. Run a scan to see what your frontend is giving away.
See what your site exposes
Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.
Scan your site