AI
AIExposureTool
Free Security Scanner

Find security flaws
before hackers do

Founders are getting billed $250k because a Gemini key leaked into their JS bundle. Stripe keys in client components. .env files served publicly. We scan your HTML and JS bundles for 17 secret patterns โ€” then give you an exact fix prompt for Claude, Cursor, or ChatGPT.

No login requiredPassive scan onlyResults in ~10 seconds

Free passive scan. No signup required. Results in ~10 seconds.

This is happening right now

What attackers do the moment
they find your keys

Bots scan GitHub, JS bundles, and public sites 24/7. From key discovered to damage done โ€” under 60 seconds.

๐Ÿ’ณStripe Secret Key
Immediate financial loss
  • โ†’Create unlimited charges to your customers' cards
  • โ†’Issue fake refunds to attacker-controlled accounts
  • โ†’Download your full customer + payment database
  • โ†’Cancel all active subscriptions instantly
  • โ†’You get the chargebacks โ€” they keep the money
๐Ÿค–Gemini / OpenAI / Claude Key
$250k+ API bills overnight
  • โ†’Run millions of AI API calls billed to your account
  • โ†’Sell access to your key on black-market Telegram groups
  • โ†’Use your key to power their own AI product for free
  • โ†’Bill: $10k/day is common. $250k cases have been reported
  • โ†’Google / OpenAI rarely waive the charges
๐Ÿ—„๏ธ.env / Database URL
Total data loss
  • โ†’Direct database access โ€” read every user's data
  • โ†’Export and sell your entire user list
  • โ†’Delete all data (ransomware โ€” pay or lose everything)
  • โ†’Inject malicious content into your app
  • โ†’GDPR breach notification + potential fines
๐Ÿ“‚.git Directory / Source Maps
Full code theft
  • โ†’Download 100% of your source code in minutes
  • โ†’Find hardcoded keys buried in old commits
  • โ†’Understand your auth logic and bypass it
  • โ†’Clone and launch a competing product using your IP
  • โ†’Find other secrets in git history you forgot were there

Real attack timeline

T+0sBot finds your keyin JS bundle or .env
T+5sKey validatedtest charge or API call
T+30sShared to groupTelegram channel of 5,000
T+2minMass exploitationhundreds of bots running
T+1hrDamage done$10kโ€“$250k in charges

The exact mistakes that get founders hacked

These aren't hypothetical. They're the actual lines of code we find in vibe-coded apps every day.

01

Prefixing secrets with NEXT_PUBLIC_

Most common mistake

Claude and Cursor often write NEXT_PUBLIC_ on env vars so they work in the browser. But NEXT_PUBLIC_ means the value is bundled into your JS and sent to every visitor.

// โŒ This goes into your JS bundle. Anyone can open DevTools and read it.
NEXT_PUBLIC_OPENAI_API_KEY=sk-proj-...
NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_...

// โœ… No prefix = server-only. Call it from an /api/ route instead.
OPENAI_API_KEY=sk-proj-...
02

Calling AI APIs directly from a React component

Instant key exposure

AI tools generate client-side fetch() calls to OpenAI, Gemini, or Anthropic to make things work quickly. Your secret key ships inside the JS bundle to every browser.

// โŒ This component renders in the browser. sk-... is visible in the bundle.
const res = await fetch("https://api.openai.com/v1/chat/completions", {
  headers: { Authorization: `Bearer ${process.env.NEXT_PUBLIC_OPENAI_KEY}` }
});

// โœ… Make the call in /app/api/chat/route.ts โ€” key never leaves the server.
03

.env committed to git, repo made public later

Permanent exposure

You start a private repo, commit .env early, then open-source the project or the repo accidentally becomes public. The key is in git history forever โ€” even after you delete the file.

# โŒ .env was committed on day 1. It's in git history permanently.
git log --all -p | grep "sk_live_"  # attackers run this first

# โœ… Add .env to .gitignore BEFORE your first commit.
# If it was already committed: rotate all keys, then use BFG to rewrite history.
04

Supabase service role key in the frontend

Full DB bypass

Cursor often copies the Supabase service role key into client code to skip Row Level Security errors during development. That key gives anyone admin-level database access โ€” bypassing all your RLS policies.

// โŒ service_role key bypasses ALL Row Level Security. Never use in browser.
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY)

// โœ… Use the anon key in the browser. Use service_role only in server routes.
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)
05

Importing Stripe or OpenAI SDK directly in a client component

Entire SDK + key in browser

When you import the Stripe or OpenAI Node SDK inside a React component (not a server route), Next.js bundles the entire SDK and your secret key into the JS file sent to every visitor. Anyone can open Network tab โ†’ find the chunk โ†’ search for 'sk_'.

// โŒ This is a client component. The whole OpenAI SDK ships to the browser.
import OpenAI from "openai"  // โ† Node SDK, not meant for browsers
const client = new OpenAI({ apiKey: process.env.NEXT_PUBLIC_OPENAI_KEY })

// Your sk-proj-... is now in _next/static/chunks/app/page-[hash].js
// Any visitor: DevTools โ†’ Sources โ†’ search "sk-" โ†’ found.

// โœ… Move to /app/api/generate/route.ts (server-only)
// import OpenAI only there. Client calls fetch("/api/generate") instead.
06

Hardcoding keys directly in source โ€” 'I'll move it to .env later'

Never gets moved

When prototyping fast, founders paste keys directly into code to skip the .env setup. It ships to production, gets committed to git, and 'later' never comes. This is how $250k Gemini bills happen.

// โŒ Hardcoded to 'test quickly' โ€” shipped to prod, committed to git.
const genAI = new GoogleGenerativeAI("AIzaSy...")
const stripe = new Stripe("sk_live_51...")

// Now it's in: git history, your JS bundle, and GitHub's public search index.
// GitHub's search finds exposed keys in seconds. So do bots.

// โœ… Always start with .env, even on day 1 of prototyping.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY!)

From our last 1,000 scans of vibe-coded apps

78%

Missing Content-Security-Policy

61%

Source maps publicly exposed

23%

API keys found in JS bundles

11%

.env file returns 200

Most founders had no idea until they scanned.

19 checks across 9 categories

Most scanners only check HTTP headers. We go deeper โ€” fetching your actual JS bundles to find secrets hiding in client-side code, the #1 place vibe-coded apps leak keys.

Only tool that scans your JS bundles, not just headers
4 checks

HTTPS & Encryption

HTTPS, redirects, HSTS, mixed content detection

6 checks

Security Headers

CSP, X-Frame-Options, XCTO, Referrer-Policy, SRI checks

17 checks

API Key Leaks

Stripe, Gemini, OpenAI, Anthropic, Razorpay, AWS, Supabase service keys โ€” scanned in HTML and JS bundles

4 checks

Exposed Files

.env, .git, backup.sql, package.json publicly accessible

2 checks

Admin & API Endpoints

/admin, /wp-admin, /phpmyadmin, GraphQL introspection, Swagger docs

1 check

Source Code Leaks

Source maps (.js.map) + JS bundle contents scanned โ€” your full codebase readable by anyone with DevTools

2 checks

Debug Mode & Stack Traces

Console.log left in production, error stack traces, dev mode indicators

2 checks

CORS & Cookies

Wildcard CORS, missing Secure/HttpOnly/SameSite cookie flags

2 checks

Server Info Disclosure

Server version, X-Powered-By exposing tech stack to attackers

Your site gets a security grade

Scored 0โ€“100, graded Aโ€“F. Know exactly where you stand.

A
Excellent
90โ€“100
B
Good
75โ€“89
C
Fair
60โ€“74
D
Poor
40โ€“59
F
Critical
0โ€“39

Most vibe-coded apps score between C and F on their first scan.

Personalized fix prompt

One prompt. Every bug fixed.
Built only for your site.

After scanning, we generate a fix prompt written specifically for your domain, your stack, and your exact vulnerabilities โ€” not a generic checklist. Paste it into any AI and watch every security issue get resolved in minutes.

security-fix-prompt.txt

# Security Fix Prompt for yoursite.com

# Generated by AIExposureTool ยท 3/15/2026

Fix these security issues found on my site:

1. [CRITICAL] .env file is publicly

accessible at /. env โ€” move all

secrets to server env vars.

2. [HIGH] Source map exposed at

/main.js.map โ€” disable in build.

3. [MEDIUM] Missing CSP header โ€”

add Content-Security-Policy...

Specific to your domain & stack

Every prompt includes your actual URL, your real findings, and actionable steps โ€” not copy-paste boilerplate.

Sorted by severity

Critical issues first. The prompt tells your AI exactly what to fix and in what order so nothing gets missed.

Works with any AI coding tool

Paste into Claude, Cursor, ChatGPT, or Gemini. The prompt is formatted for immediate action โ€” no editing needed.

One scan โ†’ zero vulnerabilities

Most founders fix every issue in under 30 minutes by just following what the prompt says.

How it works

1

Paste your URL

Enter your live site โ€” no install, no signup needed

2

We scan passively

Headers, files, source code โ€” read-only, nothing intrusive

3

Get fix prompts

Copy into Claude, Cursor, ChatGPT or Gemini to fix every issue instantly

Is your site safe right now?

Most founders are surprised by what we find. Run your free scan โ€” takes 10 seconds, no account needed.

Free passive scan. No signup required. Results in ~10 seconds.

Free for first scan ยท Upgrade to re-scan anytime

AIExposureTool โ€” AI Exposure Audit + Security Scanner