Use case
Next.js Secret Scanner
Next.js apps have specific patterns that leak secrets into client bundles: NEXT_PUBLIC_ variable misuse, build-time inlining, and source map exposure. GetLeaked checks your deployed app for these patterns without touching your source code or requiring any integration.
How Next.js leaks secrets into production
The most common path is straightforward: a developer uses NEXT_PUBLIC_SUPABASE_SERVICE_KEY without realizing that NEXT_PUBLIC_ means "ship this to the browser." The key appears verbatim in a _next/static chunk, visible to anyone who opens DevTools or runs strings against the bundle.
Less obvious paths include: a server component using a secret env var that gets imported into a client component boundary, or a utility function initialized at module level that evaluates an env var at build time. GetLeaked checks the bundle output — the ground truth of what ships — not the source intent.
What GetLeaked checks
Bundle-level evidence, not guesswork.
01
NEXT_PUBLIC_ variable misuse
Next.js automatically inlines any variable prefixed with NEXT_PUBLIC_ into the client bundle at build time. This is the right choice for public config like your Supabase anon key or a public analytics ID. It is the wrong choice for your Supabase service role key, admin tokens, or any credential that grants elevated access. GetLeaked scans client bundles for credential patterns that should never be public.
02
Secrets in _next/static chunks
Next.js splits JavaScript into chunks and hashes the filenames, but every chunk is publicly accessible. Credentials hardcoded in a component or imported from an env variable without the NEXT_PUBLIC_ prefix sometimes still end up inlined if the variable is evaluated at build time. GetLeaked fetches and scans loaded chunks from your public URL for credential patterns.
03
Source map exposure
If source maps are enabled in production, the full original source — including any secrets in comments, variable names, or string literals — can be fetched by anyone. GetLeaked checks whether source maps are publicly accessible and flags findings if they are.
04
Hardcoded API keys in committed code
Keys typed directly into source files instead of read from env are a persistent risk, especially if source maps or client bundles expose them. Deep Scan expands the public-deployment review with source-map reconstruction where exposed and stronger credential-pattern checks.
Scope and limitations
- Server-only env vars (no NEXT_PUBLIC_ prefix, never imported into client components) are outside the scope of the free URL scan.
- Git history scanning is not included in the current public flow — the current product checks the deployed public surface.
- Private repository review is not included in the current public flow. The current scan works on public deployments only.
Check your Next.js bundle before launch.
Paste your deployed URL and get bundle-level evidence of exposed secrets in minutes. Free, no login required.