Exposed Secrets
API keys in frontend code. Which ones are a real emergency (sk_live, service_role), which are public by design (pk_live, anon), and how to find, rotate, and stop leaking the dangerous ones.
6 articles
Exposed Secrets and API Keys in Frontend Code: The Complete Guide
An exposed API key in your frontend isn't always an emergency. Learn which keys are public by design, which are real leaks, and how to find and rotate the dangerous ones.
A Key Just Leaked — Rotate, Audit, Monitor (in That Order)
A secret key leaked? Here's the incident runbook: confirm it's actually secret, rotate it, audit for abuse, then monitor — because keys re-leak on the next deploy.
An Exposed OpenAI or Anthropic Key Is Someone Else's Bill on Your Card
An exposed OpenAI or Anthropic API key means strangers run up your bill and can reach your data. Learn where these keys belong, how to check yours, and how to fix it.
Did I Leak My Stripe Key? pk_live vs sk_live Explained
Found your Stripe key in your frontend? Whether it's an emergency depends on one letter. Learn pk_live vs sk_live and exactly what to do if you leaked the secret one.
How Attackers Extract Secrets From JS Bundles
An API key in your JavaScript can be pulled in minutes with no special tools. See exactly how attackers find secrets in a JS bundle — and run the same check on yourself.
Your Source Maps Are Publishing Your Source Code
Source map exposure can republish your entire codebase — comments, logic, and secrets — to anyone. Learn how to find leaked source maps and disable them in production.