Skip to content
Flows
Security Basics Review
QA60-90 minutes
0/5 steps0%

Step 1 of 5

Hunt exposed secrets

The most common AI-build failure: keys where users can read them.

Prompt capsule

Audit this app for exposed secrets. Check: all frontend source and env files for API keys/tokens (anything beyond truly public keys); the built bundle if inspectable; backend code for hardcoded credentials that should be env vars; logs printing secrets; repo files (.env committed?). For every finding: move the secret server-side or to env, rotate it if it was exposed, and verify the frontend bundle no longer contains it. List every finding and action.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

A findings list with every secret moved, rotated, and re-verified.

Should not happen

  • API keys sitting in frontend env or bundle
  • Backend routes trusting the UI to gate access
  • Password hashes or emails returned in API responses
  • IDs guessable and records readable across users

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !API keys sitting in frontend env or bundle
  • !Backend routes trusting the UI to gate access
  • !Password hashes or emails returned in API responses
  • !IDs guessable and records readable across users

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

A key remains client-side because 'the calls need it'. Move that call to a backend endpoint that holds the key and have the frontend call your API instead.

Your notes for this step