Home/ Glossary/ Exposed Secrets in JavaScript

Exposed Secrets in JavaScript (Exposed Secrets)

Security Glossary - Web Security

Definition: Exposed secrets refer to sensitive credentials, tokens, API keys, or configuration data that is unintentionally included in client-side JavaScript bundles, source maps, or HTML source code. Because browsers download and execute JavaScript locally, anything in the source code is visible to any visitor or automated scanner.

Summary

  • API keys, passwords, tokens, and certificates accidentally made public
  • Common locations: source code, git history, error messages, client-side JavaScript
  • Automated scanners detect exposed secrets within minutes on public repos
  • Prevention: environment variables, secret managers, pre-commit hooks
  • Remediation requires rotation, not just deletion from the repository

The Importance of Exposed Secrets

Modern JavaScript bundlers (webpack, Vite, etc.) can accidentally include server-side environment variables in client bundles if the build configuration does not properly separate public and private variables. A .env file with DATABASE_URL or STRIPE_SECRET_KEY that gets bundled into the frontend exposes those credentials to anyone who views the page source.

Source maps, while useful for debugging, can expose original source code including comments with credentials, development URLs, and internal logic. If source maps are deployed to production, they reveal implementation details that help attackers find vulnerabilities.

Automated secret scanning tools search JavaScript bundles for high-entropy strings, known API key patterns, and common credential formats. Running such scans as part of your deployment pipeline catches exposed secrets before they reach production.

How to Check

A security audit scans your site's JavaScript bundles for patterns matching common secrets (API keys, database URLs, private keys). It checks for exposed source maps and development configurations. Run this scan after every deployment to catch accidentally bundled credentials.

See how your site handles Exposed Secrets

Run a Security Audit

Exposed Secrets FAQ

How do secrets end up in frontend code?
Common causes: using process.env.SECRET_KEY in frontend code (bundler includes it), committing .env files to repositories, leaving console.log statements with sensitive data, deploying source maps, or copying server-side code into client components without removing secrets.
How do I prevent secrets from leaking to the frontend?
Use REACT_APP_ or VITE_ prefixes for public-only variables (and only put non-sensitive values there). Keep secret keys in server-side code only. Do not deploy source maps to production. Add pre-deploy secret scanning to your CI/CD pipeline.

Related Concepts

API Key Exposure Security Headers Overview OWASP Top 10 Content Security Policy Mixed Content
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.