Security
SecurityCritical

Exposed API Keys

Checks the client JS bundle for exposed secrets (Stripe, OpenAI, Supabase service keys, etc.).

What this check measures

We fetch the main JS bundle and scan for known API-key patterns: Stripe `sk_live_`, OpenAI `sk-proj-`, Supabase service role JWTs, AWS access keys, Google API keys. Any match is a critical finding.

Why it matters

Keys in your JavaScript bundle are public — downloaded by every visitor. Attackers scan GitHub and deployed bundles 24/7. Time from "key pushed" to "key abused" is often under 30 seconds. One exposed Stripe or OpenAI key can drain your account in hours.

search

How our audit detects it

Fetch all JS/TS files referenced in HTML, run regex patterns for common secret formats. Match is reported with the file path and redacted snippet.

Typical findings

  • error_outlineStripe secret key in a React component, shipping to every browser.
  • error_outlineSupabase service_role JWT in client code — bypasses RLS, full DB access.
  • error_outlineOpenAI key in useEffect fetch — leaked with every page load.
  • error_outlineNEXT_PUBLIC_ prefix on a secret — the prefix made it public.

How to fix

Rotate the leaked key immediately. Move it to a server-only env var (no NEXT_PUBLIC_ prefix). Create a backend API route that uses the key server-side and call that from the client.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

Is rotating enough?expand_more
Yes — old keys in the bundle stay compromised forever, but a new key works. Attackers who scraped the old key cannot use the rotated one.
What about the git history?expand_more
After rotating, the old key in git history is useless. Optional: use git-filter-repo to purge. The rotation is what matters.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward