Live-site exposure scanner

Is your deployed site leaking secrets?

Vibe-coded and rushed deploys constantly ship .env files, .git folders, source maps, and hardcoded API keys straight to production — where anyone with a browser can grab them. Point ExposureCheck at your live URL and find out before someone else does.

Scan a live URL

Only scan sites you own or are authorized to test. ExposureCheck only fetches paths a public visitor could already reach — it's a defensive self-check, not an attack tool.

Runs in your browser. We don't store your URL or results. No signup.

What we check

The leaks visitors can already see

ExposureCheck probes the paths attackers hit first and reads what your bundle actually ships to the browser — the exposures that turn a quick deploy into an incident.

  • Exposed .env & config

    Publicly reachable .env, .env.production, and config files served by mistake.

  • Public .git folder

    A reachable /.git/ lets anyone reconstruct your entire source history.

  • Source maps

    Shipped .map files that hand your original, unminified source to the world.

  • Hardcoded API keys

    Live tokens baked into your client bundle — AWS, Stripe, OpenAI, Google & more.

  • Leaked internal endpoints

    Admin, staging, and internal URLs left visible in your front-end code.

  • Security headers

    A best-effort check for missing baseline response headers on your site.

How it works

Three steps, your own site

  1. Enter your URL

    Drop in the live address of a site you own or are authorized to test — or paste your built HTML/JS to skip the fetch entirely.

  2. Public paths checked

    We fetch only what a normal visitor could already reach and scan the bundle for keys, source maps, and exposed config — all in your browser.

  3. Masked findings + how to fix

    Every exposure is shown by severity with the value masked and concrete remediation, so you can lock it down fast.

The ship-safety suite

Three checks before you ship

ExposureCheck is part of Copper Bay Labs' ship-safety suite for vibe-coded and indie apps. Run all three before you go live.

  • LeakCheck

    Did you leak a secret in your source code? Paste code, .env, or config and catch hardcoded keys before you commit.

    Scan your source code →

  • ExposureCheck You're here

    Is your live site leaking? Probe the deployed URL for exposed .env, public .git, source maps, and bundled keys.

    This tool

  • ShipSafe

    Will you get sued? Check your site for ADA accessibility and privacy-policy risk before customers (or lawyers) arrive.

    Check ADA & privacy risk →

FAQ

Questions, answered

Is this an attack tool?

No. ExposureCheck is a defensive self-check for your own site. It only requests paths a public visitor could already reach — the same .env, .git, source-map, and bundle URLs a browser or crawler would hit. It never probes for vulnerabilities, never brute-forces, and never touches anything that isn't already publicly served. Only scan sites you own or are explicitly authorized to test.

How does it scan another domain from my browser?

Browsers block one site from fetching another (the same-origin policy), so for URL mode ExposureCheck routes its requests through a public CORS proxy that fetches the page and passes the bytes back to your tab for local scanning. That proxy is a third party that can see the URL it fetches, and it can't reach pages behind a login or a private network. If a fetch fails or you'd rather not use a proxy, use paste mode — drop in your built HTML/JS and everything stays in your browser with no network call at all.

Do you store anything?

No. Nothing is persisted. Your URL, the fetched content, and the results live only in this tab's memory and disappear the moment you close or reload the page. There's no database, no analytics on your content, and no signup. (In URL mode the public CORS proxy briefly handles your URL to fetch it — see the question above.)

It couldn't fetch my site — why?

URL mode depends on a public CORS proxy, which has limits: it can be rate-limited or down, it can't reach pages behind authentication or on a private network, and some hosts block proxy traffic. When that happens, switch to paste mode — open your deployed page, view source or grab your built bundle, and paste the HTML/JS in. The same detectors run locally with no fetch required.

A secret showed up — what now?

Rotate it immediately in the provider's dashboard so the exposed value stops working. Then remove it from the deploy: pull the literal out of your built output, move it to an environment variable or secret manager, and make sure the file (.env, config, source maps) is in your .gitignore and excluded from your production build. Finally, scrub it from git history with git filter-repo or BFG and force-push — anything that has been public should be treated as already harvested.

Know the moment your site starts leaking

ExposureCheck Pro will re-scan your live site on a schedule and alert you the moment an exposed file, secret, or source map appears — be first to know when it lands.

Join the Pro waitlist Or have Copper Bay fix it for you