Skip to main content
HashnodeDeploySafe BlogDeploySafe Blog

Command Palette

Search for a command to run...

Your API keys might be sitting in your JavaScript bundle right now

Updated
3 min read
H
Habeeb Salami
Founder of DeploySafe (deploysafe.io). I build developer tools and write about security, shipping fast, and the bugs I find along the way.

I ship small apps fast. Some of them I build mostly with AI tools. And every time I deployed one, the same thought nagged at me: I have no idea if this is secure. I'm not a security person. I don't know what I don't know.

The existing options didn't fit. Most scanners want to live in your CI pipeline, need access to your repo, or spit out a 40-page report full of jargon that I was never going to read, let alone act on.

So I built DeploySafe (https://deploysafe.io). The idea is simple: you paste your live app's URL, and it probes the running app the way someone poking at it would.

Here is what it checks for right now:

  • Leaked environment variables and API keys sitting in your JS bundles

  • Broken or missing access control on routes that should be protected

  • Open redirects

  • Missing CSRF protection

  • Cookies without secure flags

  • Vulnerable dependency versions

  • Exposed .git and .env files

  • Dangerous HTTP methods left enabled

  • Missing security headers

The part I cared about most: it does not just tell you what is wrong. Every finding comes with three things. A plain-English explanation of how the issue would actually get exploited. A rough estimate of what it would cost you if it did. And a copy-paste prompt written to drop straight into your AI coding tool, so you can fix it in a few minutes instead of researching it for an hour.

A few technical notes for anyone curious how it works:

  • It drives a real headless browser (Playwright), so it understands single-page app routes and behaves like a real session instead of just curling endpoints.

  • There is a triage layer that filters raw probe output down to real findings. Cutting false positives has honestly been most of the work. A scanner that cries wolf is worse than no scanner.

  • You can only scan targets you confirm you own or are authorized to test.

It is free to scan, with a small credit grant when you sign up. The deeper parts (full fix prompts, scanning behind a login) are paid through credit packs. It is a solo project, so I am being upfront about that.

If you scan something and it flags nonsense, I genuinely want to hear about it. And if there is a check you wish it ran, tell me. GraphQL introspection and subdomain takeover detection are already next on my list.

You can try it at deploysafe.io. Would love your feedback.

#security#webdev#devops#showhashnode

Comments

Join the discussion

No comments yet. Be the first to comment.