Secret Scanner – Exposed Secrets Autor: pp4mnk

Secret Scanner – Exposed Secrets Detector

Secret Scanner is a lightweight security tool that helps identify potentially exposed API keys, tokens, and credentials directly within publicly delivered web pages.

It scans the HTML content and inline JavaScript of the currently open webpage to detect patterns commonly associated with hardcoded secrets, a frequent security mistake in web development.

🔍 What Secret Scanner detects (heuristic)

🚨 API keys and service tokens, including patterns related to:

AWS access keys

Google API keys

Stripe secret keys

🔑 JWT tokens and Bearer tokens

🔐 Hardcoded credentials such as apiKey, secret, token, or password assignments

🧩 Suspicious high-entropy strings that may indicate exposed secrets

🧠 How it works

Secret Scanner analyzes only publicly available page content:

The rendered HTML

Inline JavaScript embedded in the page

It does not fetch external scripts, execute code, validate credentials, or attempt to use detected values in any way.
All findings are heuristic indicators, not proof of a real or exploitable secret.

🛡️ Privacy & safety

✅ All analysis runs locally in the browser

✅ No data collection

✅ No tracking

✅ No external APIs or servers

✅ No detected values are stored or transmitted

Only aggregated results (type and count) are shown to the user to avoid exposing sensitive values.

🎓 Intended use

Secret Scanner is designed for educational, development, and auditing purposes.
It is useful for:

Developers reviewing their own projects

Learning about common security misconfigurations

Demonstrating secure coding practices

Quick, non-intrusive checks during development or testing

Results should always be manually reviewed and interpreted in context.

Secret Scanner helps promote better security practices by making hidden risks visible—without collecting data or compromising privacy.