How to Check If My Secrets Are Leaked
Check if your secrets are leaked by searching your git history for .env files, reviewing your frontend bundle for hardcoded keys, and checking GitHub's secret scanning alerts. If you find any exposed keys, rotate them immediately — do not just delete the code, because git history preserves old commits.
Why this matters
Leaked secrets are the number one cause of security incidents for independent builders. AI coding tools sometimes hardcode keys or place them in client-side files where they are visible to anyone who opens your browser's developer tools.
What's at stake
A leaked API key can be used within minutes. Automated bots scan GitHub for exposed keys and exploit them to mine cryptocurrency, send spam, or rack up API charges. One leaked OpenAI key can generate thousands of dollars in charges overnight.
Step by step.
Search your git history for .env files
Run: git log --all --diff-filter=A -- "*.env" — if any .env files were ever committed, their contents (including secrets) are in your git history, even if you deleted them later.
Check your deployed frontend bundle
Open your deployed app in a browser, open DevTools (F12), go to Sources, and search for your API key strings. If they appear in the JavaScript bundle, they are exposed to every visitor.
Review GitHub secret scanning alerts
If your repo is on GitHub, go to Settings > Security > Secret scanning alerts. GitHub automatically detects known API key patterns and alerts you when they are committed.
Check your AI tool's chat history
If you pasted API keys directly into Lovable, Bolt, or Cursor chat, those keys may be stored in the chat history. Lovable warns about this, but other tools may not.
Rotate any exposed secrets
For every exposed key: go to the provider's dashboard, generate a new key, revoke the old one, and store the new key in your platform's secrets manager. Deleting the code is not enough — rotate the key itself.
Detect leaked secrets before attackers find them
- Automated secret scanning across your deployed app and codebase
- Alerts when API keys are detected in frontend code
- Step-by-step remediation guide for each type of leaked secret
Frequently asked questions.
Yes. Git keeps the full history of every commit. If a .env file was ever committed, anyone with access to your repo can find the secrets in the git history. You must rotate the keys, not just delete the file.
Yes. GitHub's secret scanning partner program detects patterns for over 200 service providers. If a known key pattern is committed, GitHub alerts you and may also notify the service provider, who may automatically revoke the key.
Within minutes. Automated bots continuously monitor public GitHub repositories for committed secrets. Research has shown that exposed AWS keys are exploited within 5 minutes of being pushed to a public repo.
Yes, as long as .env is in your .gitignore and never committed to version control. The .env file stores secrets locally during development. For production, use your hosting platform's environment variables or secrets manager.