API Keys Leaked in Frontend Code

How attackers find and exploit it

• Enumerate the target's web properties and download every JavaScript asset referenced by the pages, including chunked and lazily loaded bundles, vendor files, and any .js.map source maps still served in production.
• Run high-entropy and pattern-based secret scanners (regex for sk_live_, AKIA AWS prefixes, AIza Google keys, ghp_ tokens, JWTs, and connection-string shapes) across the downloaded bundles and beautified source maps to surface candidate credentials.
• Beautify and de-minify the code, or reconstruct original source from leaked source maps, to recover variable names, internal API endpoints, and comments that reveal which service each key authenticates to.
• Validate each candidate live by calling the corresponding provider's lowest-privilege endpoint (for example a balance, account, or whoami call) to confirm the key is active and to fingerprint its scope without triggering obvious alarms.
• Pivot from a confirmed secret key to its full blast radius: exfiltrate customer or PII records, issue fraudulent transactions or refunds, provision cloud resources for cryptomining, or abuse a paid AI/API quota until the bill or the data loss is noticed.
• Automate the whole pipeline against many targets and re-scan periodically, since redeploys frequently reintroduce a rotated-but-re-leaked key or expose a new one.

How to detect it on your surface

• Inventory every public-facing web app and single-page application, then crawl each one to collect the full set of JavaScript bundles, dynamically imported chunks, and any source map files served alongside them.
• Scan those collected assets with a secrets detector that combines provider-specific patterns and entropy analysis, and treat any non-publishable key shape (sk_, AWS secret keys, private connection strings, bearer tokens) as a priority hit.
• Check whether .js.map source maps are reachable in production by requesting the .map URL referenced in each bundle's sourceMappingURL comment; recoverable source maps dramatically widen what an attacker can read.
• Audit your build configuration and environment-variable naming to confirm only intentionally public variables (NEXT_PUBLIC_, REACT_APP_ prefixed and reviewed) reach the client, and that nothing secret is being inlined at build time.
• Diff each new production deploy against the previous one for newly introduced credential-shaped strings, since regressions reintroduce secrets even after a clean-up.

Detection signals

• A string matching a known secret prefix in a served bundle, for example sk_live_ or sk_test_ (Stripe secret), AKIA followed by 16 uppercase alphanumerics (AWS access key id), AIza (Google API key), ghp_/github_pat_ (GitHub tokens), or xoxb-/xoxp- (Slack tokens).
• A reachable .js.map file (HTTP 200 on the URL named in a //# sourceMappingURL= comment) that reconstructs original module paths, comments, and inlined config.
• High-Shannon-entropy alphanumeric literals assigned to variables or object keys named secret, apikey, token, password, privateKey, or connectionString within minified code.
• Database or message-broker connection strings (postgres://, mongodb+srv://, amqps://) or full JWTs with decodable backend-scoped claims embedded in client assets.
• Provider validation success: the candidate key returns HTTP 200 from a benign account/identity endpoint rather than 401/403, confirming it is live.

Validate before you report

• Extract the exact candidate string with its surrounding context (file, variable name, nearby endpoint) so the finding identifies the specific service the key belongs to, not just a generic match.
• Classify the key as publishable or secret using the provider's own scheme (for example pk_ vs sk_ for Stripe, or whether a Firebase value is the intended public web config), so expected-public keys are not reported as criticals.
• Confirm the secret is live by issuing a single low-privilege, non-destructive call to the provider (account/whoami/balance read) and recording the authenticated response as evidence, without making any state-changing request.
• Determine effective scope and blast radius from the validation response or key metadata: is it a restricted/scoped key, or an unrestricted account-level secret that can read data and move money?
• Capture reproducible evidence: the source URL of the asset, the byte offset or line of the match, the masked key, the deploy/build timestamp, and the validation response, so the owner can act and revoke immediately.

What looks like this but isn't

• Confirm publishable/public-by-design keys are not flagged as secrets: a Stripe pk_ key, a Firebase web apiKey, a Mapbox public token, or a Sentry public DSN are intended to be in the client and constrained server-side, so they are not a leak on their own.
• Rule out test, placeholder, example, or expired credentials (sk_test_ values from docs, obvious dummy strings, or keys that return 401 on validation) which match a pattern but unlock nothing.
• Check that a high-entropy string is actually a credential and not a cache-busting hash, content-hashed filename, build id, integrity hash, or UUID that merely resembles a key.
• Verify the key has not already been rotated/revoked since the asset was cached; a stale CDN copy can surface a string the provider no longer honors.

Remediation

• Revoke and rotate the exposed secret immediately at the provider before doing anything else, and assume it has been harvested the moment it was reachable in a public bundle.
• Review provider audit logs for the exposure window to detect any unauthorized use, then contain and remediate downstream impact (block fraudulent charges, lock affected resources, notify stakeholders if data was accessed).
• Remove the secret from client code and move all backend calls that need it behind a server-side route, API gateway, or serverless function, so the browser never receives the credential.
• Store secrets only in a dedicated secrets manager (AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or HashiCorp Vault) and inject them at runtime on the server, per the OWASP Secrets Management Cheat Sheet, rather than in source or build-time client variables.
• Where a value genuinely must reach the client, replace the secret key with a publishable or restricted/scoped key that has only the minimum permissions needed (for example a Stripe restricted API key).
• Disable production source maps or restrict them to an authenticated error-monitoring upload (so they never serve publicly), and verify the deployed bundles no longer reference reachable .map files.
• Purge the secret from version-control history (it persists in old commits and forks even after a clean working tree) and from any CDN caches still serving the old asset.

Operational checklist

• Run automated secret scanning in pre-commit hooks and CI so credential-shaped strings are blocked before they reach a branch, not discovered after deploy.
• Enforce an environment-variable naming convention where only an explicit public prefix (NEXT_PUBLIC_, REACT_APP_) is allowed in the client, and fail the build if any other secret is inlined.
• Make production source maps non-public by default in your bundler config and add a deploy check that fails if a reachable .js.map is served.
• Adopt least-privilege, scoped, and short-lived keys with automated rotation for every external service, so any single leak has bounded impact and a short life.
• Continuously monitor your live external attack surface for newly exposed secrets after every deploy, since regressions reintroduce keys that earlier scans cleared.
• Maintain a documented, rehearsed key-revocation runbook so a confirmed leak is rotated in minutes, not the five-plus days that leaked secrets typically stay active.

Weakness references (CWE)

• CWE-798 — Use of Hard-coded Credentials
• CWE-540 — Inclusion of Sensitive Information in Source Code
• CWE-615 — Inclusion of Sensitive Information in Source Code Comments
• CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor