securitycritical
Exposed API Keys: The #1 Security Mistake in Vibe-Coded Apps
API keys, tokens, and secrets exposed in client-side JavaScript can be extracted by anyone viewing your page source.
Why This Matters
Unauthorized API usage, data breaches, financial loss from abused paid API keys, complete account compromise.
How to Fix
Move API keys to server-side environment variables. Never prefix secrets with NEXT_PUBLIC_. Use API routes as a proxy.
Does your website have this issue?
Scan your site in 30 seconds. Get AI-powered fix prompts for every issue found.
Scan Your Website Free →No account required · Results in 30 seconds