CRITICALCWE-798Secret Exposure
Exposed API Key in JS Bundle
Description
API keys, secrets, or tokens are hardcoded in client-side JavaScript and visible in the browser bundle via DevTools.
How Vezraa Detects It
We scan your JS bundles for regex patterns matching known key formats: sk-, OPENAI_, RAZORPAY_, STRIPE_, etc.
Real-World Impact
Attackers steal your OpenAI, Stripe, or Razorpay keys and rack up thousands in charges within minutes.
Fix Example
// BAD — exposed in bundle
const openai = new OpenAI({ apiKey: 'sk-proj-...' });
// GOOD — proxy through backend
const res = await fetch('/api/proxy/chat', { ... });Affected Stacks
Next.jsReactVueAngularAll SPAs