Source Detector is a browser-based frontend secret scanner for security researchers and engineering teams who need to find exposed API keys, inspect source maps, and review client-side exposure evidence.
Language: English · 简体中文 · 日本語
Local-first workflow. No account required for core use.
Detect exposed API keys, suspicious tokens, and risky client-side secrets in live website assets.
Review suspicious API key exposure patterns with surrounding evidence before deciding what is actionable.
Use Source Detector during browser-based reconnaissance to discover source maps and preserve evidence faster.
Review production JavaScript bundles for exposed keys and suspicious secret-like strings.
Understand what a public website reveals through shipped assets, source maps, and suspicious client-side clues.
Use a browser-native workflow to review exposed frontend assets and preserve evidence during research.
Detect source map files referenced by live pages and related client-side assets while you browse.
Use built-in and custom rules to surface suspicious patterns such as exposed API keys, AI-related tokens, and risky client-side secrets.
Review findings in the explorer and export versions or domain-level bundles as ZIP files for manual validation and reporting.
Speed up browser-based reconnaissance and prioritize client-side exposure worth investigating.
Audit exposed assets, review accidental leaks, and inspect what is reachable from production pages after deployment.
Open a target website in Chrome and let Source Detector observe source map references and related assets.
Run built-in or custom rules to highlight suspicious strings, tokens, and client-side exposure patterns.
Inspect the evidence, export artifacts, and validate whether a finding is a real issue or a low-risk public clue.
Source Detector is designed around a local-first workflow. Core functionality does not require an account. Collected artifacts and settings are intended to stay on your device for analysis workflows.
Read the full policy: Privacy Policy
Homepage mix target: 2 high-intent guides + 1 workflow + 1 risk explainer for browser-based security review.
High-intent guide: review browser-visible reCAPTCHA site keys as runtime protection clues, not automatic secret exposure.
High-intent guide: inspect runtime restriction clues around browser-visible API keys without jumping from public visibility to confirmed exposure.
Workflow guide: use browser-visible feature flag traffic to map hidden vendors, conditional services, and review priorities without overstating risk.
Risk explainer: treat upload endpoints, presigned flows, and storage domains as architecture signals rather than proof of exposed storage.
Rotation rule: prefer representative freshness over strict chronology; keep at least one practical detection guide visible at all times.
Core usage is positioned as local-first. Check the privacy policy and repository for the latest implementation details.
It can surface risky patterns using built-in and custom rules, then help you inspect the evidence manually.
No. Some exposed keys are harmless public identifiers, while others carry real abuse or cost risk.
It is the set of information a public website reveals directly to the browser through shipped assets and frontend clues.
Yes, for browser-reachable frontend assets — but they do not replace human validation.
Open an issue on GitHub for bug reports, questions, or feature requests.