The hook
Most apps leak more than they realize. The attacker doesn't need a single big secret to do damage — they assemble a map of your infrastructure from a pile of small leaks. A staging hostname here, an internal API path there, a version banner mentioning the framework version, a comment marking a TODO that says 'remove before launch.' Each finding alone wouldn't justify an alert; the aggregate produces a recon report sharp enough to plan a targeted attack from. The bug class doesn't fit the binary 'leaked or didn't' framing — it's about what made it through minification because the attacker reading your bundle has more time than your CI pipeline did.
Sådan fungerer det
Bundle minification keeps strings intact — that's by design (string contents drive runtime behavior, the minifier can't safely shorten them). The bugs are in what those strings reveal: hardcoded staging URLs (`https://api-staging.internal.yourapp.com/v1`), internal API hostnames, version constants (`VERSION = '4.2.1-rc.3'`), debug feature flags (`DEBUG = false` is fine; `INTERNAL_TOOLS_ENABLED = false` reveals there's a config flag for internal tools), verbose error messages quoting backend exceptions, and developer-experience artifacts like comments marked with `// TODO: rotate this key before launch`. Source map exposure makes this dramatically worse, but even with maps disabled, plenty leaks via the bundle itself.
The variants
Internal hostname references
`https://staging.internal.yourapp.com`, `*.eu-west-1.compute.internal`, references to internal admin tools by URL. Bypass production WAF by hitting these directly.
Version banners
`X-Build-Version`, `__VERSION__` constants, framework version stamps. Maps your deployment to known CVEs.
Verbose error messages
Frontend code includes raw error strings from the backend, sometimes containing stack traces, file paths, or DB column names.
Inline TODO/FIXME comments
Comments survive minification when stripped to the wrong level. `/* TODO: handle auth bypass for admin */` shipping to production is a real-world thing that happens.
The blast radius
Recon impact dominates. Staging hostnames let the attacker bypass production WAF, often hit weaker auth, and find dev-only debug endpoints still wired up. Version stamps map your stack to known CVEs in seconds. Dev-only routes that ship to prod are pre-baked attack surface. TODO comments are sometimes literal exploitation instructions.
// what fixvibe checks
What FixVibe checks
FixVibe checks shipped client assets for high-confidence secret exposure signals and known credential formats. Reports identify the affected asset and rotation path. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Use environment-driven config rather than hardcoded URLs — `NEXT_PUBLIC_API_URL` set per-environment, never a literal staging hostname in a string constant. Strip version banners from production responses (most frameworks have a config flag). Run a build-time linter that fails on `console.log`, `// TODO`, `// FIXME` strings reaching the production bundle (eslint-plugin-no-secrets and similar). Audit your bundle for the strings you don't want public — `grep -E 'staging|internal|TODO|FIXME'` is a useful first pass; tools like webpack-bundle-analyzer help see what's in there. As a final layer, set up your build pipeline to refuse deploys from any branch that accidentally inlines a staging URL — make the failure mode loud.