Source Detector FAQ

Common questions about privacy, permissions, leak detection, export, and feedback.

1) Does Source Detector upload website data to a remote backend?

Source Detector is designed for a local-first workflow. Core analysis and storage are intended to run on your device, and no account is required for core usage.

For the latest implementation details and policy wording, see the Privacy Policy and the repository.

2) Why does the extension request these permissions?

storage: store settings and collected artifacts locally.
webRequest: detect source map references and related network signals.
host permissions: access target assets for analysis that you initiate in browser context.

See policy details in the Privacy Policy.

3) Can Source Detector prove that a key is leaked?

No. It helps surface potentially risky patterns using rules and evidence views. Findings should be validated manually before any disclosure or remediation decision.

4) What can I export?

You can export collected artifacts as ZIP bundles for selected versions or domain-level batches, then review them offline or attach evidence to internal reports.

5) How should I report bugs or request features?

Use GitHub Issues:

6) Is Source Detector a replacement for a full security assessment?

No. It is a focused client-side analysis and evidence collection tool. Treat its output as one input to a broader review process, not a complete security guarantee.

7) What is client-side exposure?

Client-side exposure means the information a public website reveals directly to the browser, including source maps, shipped JavaScript, public config clues, and suspicious strings.

Read the full answer

8) Can browser extensions detect leaked secrets?

Yes, they can help detect suspicious secret-like patterns in frontend assets that are already reachable in the browser, but they cannot replace manual validation.

Read the full answer