<![CDATA[DeploySafe Blog]]>https://blog.deploysafe.iohttps://cdn.hashnode.com/uploads/logos/6a1af774f14037cc1a81a89c/2a7ff929-e34b-4f4b-a599-ceed21851c3d.pngDeploySafe Bloghttps://blog.deploysafe.ioRSS for NodeSat, 30 May 2026 17:37:04 GMT60<![CDATA[Your API keys might be sitting in your JavaScript bundle right now]]>https://blog.deploysafe.io/your-api-keys-might-be-sitting-in-your-javascript-bundle-right-nowhttps://blog.deploysafe.io/your-api-keys-might-be-sitting-in-your-javascript-bundle-right-nowSat, 30 May 2026 15:34:16 GMTI ship small apps fast. Some of them I build mostly with AI tools. And every time I deployed one, the same thought nagged at me: I have no idea if this is secure. I'm not a security person. I don't know what I don't know.

The existing options didn't fit. Most scanners want to live in your CI pipeline, need access to your repo, or spit out a 40-page report full of jargon that I was never going to read, let alone act on.

So I built DeploySafe (https://deploysafe.io). The idea is simple: you paste your live app's URL, and it probes the running app the way someone poking at it would.

Here is what it checks for right now:

  • Leaked environment variables and API keys sitting in your JS bundles

  • Broken or missing access control on routes that should be protected

  • Open redirects

  • Missing CSRF protection

  • Cookies without secure flags

  • Vulnerable dependency versions

  • Exposed .git and .env files

  • Dangerous HTTP methods left enabled

  • Missing security headers

The part I cared about most: it does not just tell you what is wrong. Every finding comes with three things. A plain-English explanation of how the issue would actually get exploited. A rough estimate of what it would cost you if it did. And a copy-paste prompt written to drop straight into your AI coding tool, so you can fix it in a few minutes instead of researching it for an hour.

A few technical notes for anyone curious how it works:

  • It drives a real headless browser (Playwright), so it understands single-page app routes and behaves like a real session instead of just curling endpoints.

  • There is a triage layer that filters raw probe output down to real findings. Cutting false positives has honestly been most of the work. A scanner that cries wolf is worse than no scanner.

  • You can only scan targets you confirm you own or are authorized to test.

It is free to scan, with a small credit grant when you sign up. The deeper parts (full fix prompts, scanning behind a login) are paid through credit packs. It is a solo project, so I am being upfront about that.

If you scan something and it flags nonsense, I genuinely want to hear about it. And if there is a check you wish it ran, tell me. GraphQL introspection and subdomain takeover detection are already next on my list.

You can try it at deploysafe.io. Would love your feedback.

]]>