Dashboard

Жесткие секреты

Поиск API-ключей и паролей, скрытых в исходном коде или клиентских сборках.

Many developers accidentally leave environment variables or API keys in their frontend code. These can be easily found by inspecting the source or examining network traffic.

Simulation: Search the "Source"

The Danger of Frontend Exposure

Frontend code is public. If you use NEXT_PUBLIC_ variables in Next.js, they are baked into the static JS files. Attackers use automated tools to scrape millions of sites for these patterns, leading to compromised databases and bankrupt AWS accounts.

Tools used:

  • • TruffleHog (Scans git history)
  • • Google Dorks (site:github.com "password=")
  • • Browser DevTools (Network/Sources tabs)

Best Practice:

  • • Use Backend Proxy for API calls
  • • Rotate keys immediately if leaked
  • • Use .gitignore for .env files