SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

S01 Secret Exposure

What this means

SiteShadow flagged something that looks like a real credential (API key, token, password, private key) in source code, configuration, or logs.

Why it matters

Safer examples

1) Don't hardcode secrets, load them from the environment

import os

API_KEY = os.environ["API_KEY"]
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error("Missing API_KEY");

2) Don't log secrets, redact before logging

def redact(s: str) -> str:
    return s[:4] + "…" if s else ""

logger.info("Using API key prefix=%s", redact(os.environ.get("API_KEY")))

3) If a secret leaked, rotate it (don't "just delete the line")

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.