November 1, 2025

Keys on the homepage?

Article URL →HN comments →

Show HN: KeyLeak Detector – Scan websites for exposed API keys and secrets

New tool hunts leaked keys — devs split: fix your house or scan harder

TLDR: KeyLeak Detector scans websites for exposed API keys and private info, flagging risks fast. Commenters split between praising a handy alarm and arguing repeated leaks mean broken processes, with comparisons to gitleaks; it matters because one leaked key can put customer data at risk.

KeyLeak Detector dropped with a simple promise: scan your website and catch exposed API keys, passwords, and other private bits before the internet does. But the community? Oh, they showed up with popcorn. One veteran voice slammed the panic button, basically saying if you’ve had multiple leaks this year, your house isn’t messy—it’s missing doors. Their take: tools like this are fine, but the real problem is sloppy habits and bad processes. Cue a chorus of “stop taping over the check engine light” energy, with memes about “keys on the homepage” and “move fast and leak things.”

On the other side, practical folks want comparisons: does this beat or complement gitleaks? They’re asking for real-world results, not just a flashy demo. Others eye the ethics: the app screams authorized testing only, and commenters joked about “accidentally” scanning big-name sites—followed by a quick “kidding, lawyers!” For non-nerds: it loads pages like a browser, watches traffic, and flags patterns that look like cloud logins, payment keys, database passwords, even credit card numbers, then grades the danger and suggests fixes. Fans call it a handy smoke alarm; critics say you need better locks. The vibe: useful gadget meets culture war over prevention vs detection.

Key Points

  • KeyLeak Detector scans websites for exposed API keys, tokens, and sensitive data and categorizes findings by severity.
  • It uses Playwright for headless browser automation and mitmproxy to intercept HTTP traffic, with regex-based pattern matching and context-aware filtering.
  • The tool detects 50+ secret types across cloud, services, databases, authentication, and many LLM/AI providers.
  • Installation requires Python, a virtual environment, dependencies via pip, and Playwright (including Chromium); the app runs at http://localhost:5002.
  • Results include context of where secrets were found and remediation recommendations; use is limited to authorized testing with legal disclaimers.

Hottest takes

"There is something seriously wrong in your organization" — basilikum
"Secrets don't just accidentally make their way into the frontend" — basilikum
"How does this compare to gitleaks?" — toomuchtodo

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.