Your Stripe key might be in your JS bundle right now.
Founders are getting billed $250k because a Gemini key leaked into their JS bundle. Supabase service role keys bypassing RLS. .env files served publicly. We scan your HTML and JS bundles for 17 secret patterns — then give you a one-click fix prompt for Claude, Cursor, ChatGPT, or Gemini.
Bots scan GitHub, JS bundles, and public sites 24/7. From key discovered to damage done — under 60 seconds.
Real attack timeline
These aren't hypothetical. They're the actual lines of code we find in vibe-coded apps every day.
Claude and Cursor often write NEXT_PUBLIC_ on env vars so they work in the browser. But NEXT_PUBLIC_ means the value is bundled into your JS and sent to every visitor.
// ❌ This goes into your JS bundle. Anyone can open DevTools and read it. NEXT_PUBLIC_OPENAI_API_KEY=sk-proj-... NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_... // ✅ No prefix = server-only. Call it from an /api/ route instead. OPENAI_API_KEY=sk-proj-...
AI tools generate client-side fetch() calls to OpenAI, Gemini, or Anthropic to make things work quickly. Your secret key ships inside the JS bundle to every browser.
// ❌ This component renders in the browser. sk-... is visible in the bundle.
const res = await fetch("https://api.openai.com/v1/chat/completions", {
headers: { Authorization: `Bearer ${process.env.NEXT_PUBLIC_OPENAI_KEY}` }
});
// ✅ Make the call in /app/api/chat/route.ts — key never leaves the server.You start a private repo, commit .env early, then open-source the project or the repo accidentally becomes public. The key is in git history forever — even after you delete the file.
# ❌ .env was committed on day 1. It's in git history permanently. git log --all -p | grep "sk_live_" # attackers run this first # ✅ Add .env to .gitignore BEFORE your first commit. # If it was already committed: rotate all keys, then use BFG to rewrite history.
Cursor often copies the Supabase service role key into client code to skip Row Level Security errors during development. That key gives anyone admin-level database access — bypassing all your RLS policies.
// ❌ service_role key bypasses ALL Row Level Security. Never use in browser. const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY) // ✅ Use the anon key in the browser. Use service_role only in server routes. const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)
When you import the Stripe or OpenAI Node SDK inside a React component (not a server route), Next.js bundles the entire SDK and your secret key into the JS file sent to every visitor. Anyone can open Network tab → find the chunk → search for 'sk_'.
// ❌ This is a client component. The whole OpenAI SDK ships to the browser.
import OpenAI from "openai" // ← Node SDK, not meant for browsers
const client = new OpenAI({ apiKey: process.env.NEXT_PUBLIC_OPENAI_KEY })
// Your sk-proj-... is now in _next/static/chunks/app/page-[hash].js
// Any visitor: DevTools → Sources → search "sk-" → found.
// ✅ Move to /app/api/generate/route.ts (server-only)
// import OpenAI only there. Client calls fetch("/api/generate") instead.When prototyping fast, founders paste keys directly into code to skip the .env setup. It ships to production, gets committed to git, and 'later' never comes. This is how $250k Gemini bills happen.
// ❌ Hardcoded to 'test quickly' — shipped to prod, committed to git.
const genAI = new GoogleGenerativeAI("AIzaSy...")
const stripe = new Stripe("sk_live_51...")
// Now it's in: git history, your JS bundle, and GitHub's public search index.
// GitHub's search finds exposed keys in seconds. So do bots.
// ✅ Always start with .env, even on day 1 of prototyping.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY!)From our last 1,000 scans of vibe-coded apps
Missing Content-Security-Policy
Source maps publicly exposed
API keys found in JS bundles
.env file returns 200
Most founders had no idea until they scanned.
Most scanners only check HTTP headers. We go deeper — fetching your actual JS bundles to find secrets hiding in client-side code, the #1 place vibe-coded apps leak keys.
HTTPS, redirects, HSTS, mixed content detection
CSP, X-Frame-Options, XCTO, Referrer-Policy, SRI checks
Stripe, Gemini, OpenAI, Anthropic, Razorpay, AWS, Supabase service keys — scanned in HTML and JS bundles
.env, .git, backup.sql, package.json publicly accessible
/admin, /wp-admin, /phpmyadmin, GraphQL introspection, Swagger docs
Source maps (.js.map) + JS bundle contents scanned — your full codebase readable by anyone with DevTools
Console.log left in production, error stack traces, dev mode indicators
Wildcard CORS, missing Secure/HttpOnly/SameSite cookie flags
Server version, X-Powered-By exposing tech stack to attackers
Scored 0–100, graded A–F. Know exactly where you stand.
Most vibe-coded apps score between C and F on their first scan.
After scanning, we generate a fix prompt written specifically for your domain, your stack, and your exact vulnerabilities — not a generic checklist. Paste it into any AI and watch every security issue get resolved in minutes.
# Security Fix Prompt for yoursite.com
# Generated by AIExposureTool
Fix these security issues found on my site:
1. [CRITICAL] .env file is publicly
accessible at /.env — move all
secrets to server env vars.
2. [HIGH] Source map exposed at
/main.js.map — disable in build.
3. [MEDIUM] Missing CSP header —
add Content-Security-Policy...
Specific to your domain & stack
Every prompt includes your actual URL, your real findings, and actionable steps — not copy-paste boilerplate.
Sorted by severity
Critical issues first. The prompt tells your AI exactly what to fix and in what order so nothing gets missed.
Works with any AI coding tool
Paste into Claude, Cursor, ChatGPT, or Gemini. The prompt is formatted for immediate action — no editing needed.
One scan → zero vulnerabilities
Most founders fix every issue in under 30 minutes by just following what the prompt says.
Enter your live site — no install, free to start with Google sign-in
Headers, files, source code — read-only, nothing intrusive
Copy into Claude, Cursor, ChatGPT or Gemini to fix every issue instantly
Loved by founders & developers
1,000+ websites scanned · 500+ founders and developers use AIExposureTool to ship secure, AI-visible products
1,000+
websites scanned
500+
founders & developers
19
security checks
$0
to get started
“Found a leaked Supabase service role key in my JS bundle within seconds. Would have been a disaster in production.”
Alex R.
SaaS founder
“Caught a NEXT_PUBLIC_ Stripe secret key that Cursor had added. The fix prompt patched it in one paste. Incredible tool.”
Priya S.
Indie developer
“Scanned before launch and found my .env was publicly accessible. Fixed in 5 minutes. This should be mandatory for every vibe-coder.”
Marcus T.
Vibe-coder & founder
Pricing
The free scan shows where you are missing. Paid plans add monitored prompts, competitor and source intelligence, recurring scans, and the proof loop that tells you whether a fix actually changed the answer.
See what's broken. Unlock the full report for $9 one-time.
billed as $288/year
🎉 Save $60/yrReal daily monitoring across 7 AI platforms with competitor tracking and alerts.
billed as $792/year
🎉 Save $156/yrFor teams that need industry benchmarks, trend forecasting, and team workflows.
billed as $1,992/year
🎉 Save $396/yrFor agencies managing multiple clients with branded delivery and portfolio views.
Secure checkout via Dodo Payments · Cancel anytime · No hidden fees
Run a free AI Exposure Audit to see if ChatGPT, Claude, and Perplexity can actually recommend your product. Get your AI Exposure Score (0-100), auto-generated llms.txt, JSON-LD structured data, and copy-paste fix prompts.
Run free AI visibility audit25+
AI visibility signals audited
3x
more AI citations with llms.txt
30s
to get your AI Exposure Score
Most founders are surprised by what we find.
Free for first scan · Upgrade to re-scan anytime