Your Stripe key is in
your JS bundle right now.
Founders are getting billed $250k because a Gemini key leaked into their JS bundle. Supabase service role keys bypassing RLS. .env files served publicly. We scan your HTML and JS bundles for 17 secret patterns — then give you a one-click fix prompt for Claude, Cursor, ChatGPT, or Gemini.
What attackers do the moment
they find your keys
Bots scan GitHub, JS bundles, and public sites 24/7. From key discovered to damage done — under 60 seconds.
- →Create unlimited charges to your customers' cards
- →Issue fake refunds to attacker-controlled accounts
- →Download your full customer + payment database
- →Cancel all active subscriptions instantly
- →You get the chargebacks — they keep the money
- →Run millions of AI API calls billed to your account
- →Sell access to your key on black-market Telegram groups
- →Use your key to power their own AI product for free
- →Bill: $10k/day is common. $250k cases have been reported
- →Google / OpenAI rarely waive the charges
- →Direct database access — read every user's data
- →Export and sell your entire user list
- →Delete all data (ransomware — pay or lose everything)
- →Inject malicious content into your app
- →GDPR breach notification + potential fines
- →Download 100% of your source code in minutes
- →Find hardcoded keys buried in old commits
- →Understand your auth logic and bypass it
- →Clone and launch a competing product using your IP
- →Find other secrets in git history you forgot were there
Real attack timeline
The exact mistakes that get founders hacked
These aren't hypothetical. They're the actual lines of code we find in vibe-coded apps every day.
Prefixing secrets with NEXT_PUBLIC_
Most common mistakeClaude and Cursor often write NEXT_PUBLIC_ on env vars so they work in the browser. But NEXT_PUBLIC_ means the value is bundled into your JS and sent to every visitor.
// ❌ This goes into your JS bundle. Anyone can open DevTools and read it. NEXT_PUBLIC_OPENAI_API_KEY=sk-proj-... NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_... // ✅ No prefix = server-only. Call it from an /api/ route instead. OPENAI_API_KEY=sk-proj-...
Calling AI APIs directly from a React component
Instant key exposureAI tools generate client-side fetch() calls to OpenAI, Gemini, or Anthropic to make things work quickly. Your secret key ships inside the JS bundle to every browser.
// ❌ This component renders in the browser. sk-... is visible in the bundle.
const res = await fetch("https://api.openai.com/v1/chat/completions", {
headers: { Authorization: `Bearer ${process.env.NEXT_PUBLIC_OPENAI_KEY}` }
});
// ✅ Make the call in /app/api/chat/route.ts — key never leaves the server..env committed to git, repo made public later
Permanent exposureYou start a private repo, commit .env early, then open-source the project or the repo accidentally becomes public. The key is in git history forever — even after you delete the file.
# ❌ .env was committed on day 1. It's in git history permanently. git log --all -p | grep "sk_live_" # attackers run this first # ✅ Add .env to .gitignore BEFORE your first commit. # If it was already committed: rotate all keys, then use BFG to rewrite history.
Supabase service role key in the frontend
Full DB bypassCursor often copies the Supabase service role key into client code to skip Row Level Security errors during development. That key gives anyone admin-level database access — bypassing all your RLS policies.
// ❌ service_role key bypasses ALL Row Level Security. Never use in browser. const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY) // ✅ Use the anon key in the browser. Use service_role only in server routes. const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)
Importing Stripe or OpenAI SDK directly in a client component
Entire SDK + key in browserWhen you import the Stripe or OpenAI Node SDK inside a React component (not a server route), Next.js bundles the entire SDK and your secret key into the JS file sent to every visitor. Anyone can open Network tab → find the chunk → search for 'sk_'.
// ❌ This is a client component. The whole OpenAI SDK ships to the browser.
import OpenAI from "openai" // ← Node SDK, not meant for browsers
const client = new OpenAI({ apiKey: process.env.NEXT_PUBLIC_OPENAI_KEY })
// Your sk-proj-... is now in _next/static/chunks/app/page-[hash].js
// Any visitor: DevTools → Sources → search "sk-" → found.
// ✅ Move to /app/api/generate/route.ts (server-only)
// import OpenAI only there. Client calls fetch("/api/generate") instead.Hardcoding keys directly in source — 'I'll move it to .env later'
Never gets movedWhen prototyping fast, founders paste keys directly into code to skip the .env setup. It ships to production, gets committed to git, and 'later' never comes. This is how $250k Gemini bills happen.
// ❌ Hardcoded to 'test quickly' — shipped to prod, committed to git.
const genAI = new GoogleGenerativeAI("AIzaSy...")
const stripe = new Stripe("sk_live_51...")
// Now it's in: git history, your JS bundle, and GitHub's public search index.
// GitHub's search finds exposed keys in seconds. So do bots.
// ✅ Always start with .env, even on day 1 of prototyping.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY!)From our last 1,000 scans of vibe-coded apps
Missing Content-Security-Policy
Source maps publicly exposed
API keys found in JS bundles
.env file returns 200
Most founders had no idea until they scanned.
19 checks across 9 categories
Most scanners only check HTTP headers. We go deeper — fetching your actual JS bundles to find secrets hiding in client-side code, the #1 place vibe-coded apps leak keys.
HTTPS & Encryption
HTTPS, redirects, HSTS, mixed content detection
Security Headers
CSP, X-Frame-Options, XCTO, Referrer-Policy, SRI checks
API Key Leaks
Stripe, Gemini, OpenAI, Anthropic, Razorpay, AWS, Supabase service keys — scanned in HTML and JS bundles
Exposed Files
.env, .git, backup.sql, package.json publicly accessible
Admin & API Endpoints
/admin, /wp-admin, /phpmyadmin, GraphQL introspection, Swagger docs
Source Code Leaks
Source maps (.js.map) + JS bundle contents scanned — your full codebase readable by anyone with DevTools
Debug Mode & Stack Traces
Console.log left in production, error stack traces, dev mode indicators
CORS & Cookies
Wildcard CORS, missing Secure/HttpOnly/SameSite cookie flags
Server Info Disclosure
Server version, X-Powered-By exposing tech stack to attackers
Your site gets a security grade
Scored 0–100, graded A–F. Know exactly where you stand.
Most vibe-coded apps score between C and F on their first scan.
One prompt. Every bug fixed.
Built only for your site.
After scanning, we generate a fix prompt written specifically for your domain, your stack, and your exact vulnerabilities — not a generic checklist. Paste it into any AI and watch every security issue get resolved in minutes.
# Security Fix Prompt for yoursite.com
# Generated by AIExposureTool
Fix these security issues found on my site:
1. [CRITICAL] .env file is publicly
accessible at /.env — move all
secrets to server env vars.
2. [HIGH] Source map exposed at
/main.js.map — disable in build.
3. [MEDIUM] Missing CSP header —
add Content-Security-Policy...
Specific to your domain & stack
Every prompt includes your actual URL, your real findings, and actionable steps — not copy-paste boilerplate.
Sorted by severity
Critical issues first. The prompt tells your AI exactly what to fix and in what order so nothing gets missed.
Works with any AI coding tool
Paste into Claude, Cursor, ChatGPT, or Gemini. The prompt is formatted for immediate action — no editing needed.
One scan → zero vulnerabilities
Most founders fix every issue in under 30 minutes by just following what the prompt says.
How it works
Paste your URL
Enter your live site — no install, no signup needed
We scan passively
Headers, files, source code — read-only, nothing intrusive
Get fix prompts
Copy into Claude, Cursor, ChatGPT or Gemini to fix every issue instantly
Loved by founders & developers
Trusted by 1,000+ teams shipping with AI
1,000+ websites scanned · 500+ founders and developers use AIExposureTool to ship secure, AI-visible products
1,000+
websites scanned
500+
founders & developers
19
security checks
$0
to get started
“Found a leaked Supabase service role key in my JS bundle within seconds. Would have been a disaster in production.”
Alex R.
SaaS founder
“Caught a NEXT_PUBLIC_ Stripe secret key that Cursor had added. The fix prompt patched it in one paste. Incredible tool.”
Priya S.
Indie developer
“Scanned before launch and found my .env was publicly accessible. Fixed in 5 minutes. This should be mandatory for every vibe-coder.”
Marcus T.
Vibe-coder & founder
Pricing
Simple, founder-friendly pricing
Start free. Upgrade when you need more audits.
Free
Try it out. No credit card required.
- 1 free scan per website URL
- AI Visibility Score (0-100)
- Security Score & Grade (A-F)
- Top 3 issues shown instantly
- 3 full report unlocks/month
- Basic fix prompts
- 1 competitor comparison
Starter
billed as $180/year
🎉 Save $48/yrFor founders actively improving their AI presence.
- 25 AI visibility audits/month
- 25 security scans/month
- Re-scan any URL anytime
- Full AI & security issue breakdown
- Fix prompts for Claude, Cursor, ChatGPT & Gemini
- llms.txt · llms-full.txt · JSON-LD
- Weekly monitoring + email alerts (3 URLs)
- Score history charts
- Competitor comparison (3 competitors)
- AI rank tracking (3 queries)
- SSL certificate expiry alerts
Pro
billed as $468/year
🎉 Save $120/yrFor teams and agencies managing multiple sites.
- Unlimited AI visibility & security scans
- Weekly monitoring + email alerts (10 URLs)
- Score regression alerts
- Competitor comparison (10 competitors)
- AI rank tracking (10 queries)
- SSL certificate expiry alerts
- Score history charts & trends
- Priority scan processing
- Everything in Starter
Secure checkout via Paddle · Cancel anytime · No hidden fees
Is your site safe right now?
Most founders are surprised by what we find.
Free for first scan · Upgrade to re-scan anytime