Question 1

How do I know if my API keys are leaked?

Accepted Answer

Paste your app URL into Leak Radar. It scans your page source for exposed Supabase service role keys, OpenAI keys, Stripe secret keys, AWS credentials, and Firebase service account keys — the same way an attacker would find them.

Question 2

Is it safe to have API keys in client-side JavaScript?

Accepted Answer

Public keys like Supabase anon keys are designed to be in the browser — they rely on Row Level Security for protection. But secret keys (service role keys, Stripe secret keys, OpenAI keys) should never appear in client-side code. If they do, anyone can use them.

Question 3

Can someone see my source code through source maps?

Accepted Answer

Yes. If your production build includes .js.map files, anyone can download your original source code — including comments, internal logic, and potentially hardcoded secrets. Most frameworks generate source maps by default. Leak Radar checks if yours are publicly accessible.

Question 4

Is my .env file publicly accessible?

Accepted Answer

It shouldn't be, but misconfigured servers sometimes serve .env files directly. Leak Radar checks if /.env and /.env.local are accessible on your domain. If they are, your database credentials, API keys, and other secrets are exposed to anyone.

Question 5

What happens if my Supabase service role key is exposed?

Accepted Answer

The service role key bypasses all Row Level Security policies. Anyone with it can read, write, and delete any data in your database. Rotate it immediately in the Supabase dashboard and move it to a server-side environment variable.

Question 6

What should I do if Leak Radar finds exposed secrets?

Accepted Answer

First, rotate the exposed key immediately in your provider's dashboard (Supabase, Stripe, OpenAI, etc). Then move the key server-side — use environment variables and API routes so the key never reaches the browser. Assume the old key is compromised.

Question 7

Is this safe to run on my own app?

Accepted Answer

Yes. Leak Radar only makes read-only HTTP requests — the same requests any visitor's browser makes. It doesn't modify anything, create accounts, or store your data.

Question 8

What's the difference between Leak Radar and a full security scan?

Accepted Answer

Leak Radar checks what's visible from the outside — exposed keys, files, and headers. A full LaunchGuard scan goes deeper: it crawls every endpoint, tests database access controls, checks for unprotected APIs, and gives you fix prompts.

What can strangers see about your app?

How it works

Paste your URL

We scan like a stranger

See what's exposed

What Leak Radar checks

Exposed API Keys

Sensitive Files

Admin Panels

Security Headers & Source Maps

Frequently asked questions

How do I know if my API keys are leaked?

Is it safe to have API keys in client-side JavaScript?

Can someone see my source code through source maps?

Is my .env file publicly accessible?

What happens if my Supabase service role key is exposed?

What should I do if Leak Radar finds exposed secrets?

Is this safe to run on my own app?

What's the difference between Leak Radar and a full security scan?

What can strangers see about your app?

How it works

Paste your URL

We scan like a stranger

See what's exposed

What Leak Radar checks

Exposed API Keys

Sensitive Files

Admin Panels

Security Headers & Source Maps

Frequently asked questions

How do I know if my API keys are leaked?

Is it safe to have API keys in client-side JavaScript?

Can someone see my source code through source maps?

Is my .env file publicly accessible?

What happens if my Supabase service role key is exposed?

What should I do if Leak Radar finds exposed secrets?

Is this safe to run on my own app?

What's the difference between Leak Radar and a full security scan?