Vulnerability Details
Severity:
High
Category:
API
Description
API keys or secrets are exposed in client-side code, public repositories, URLs, or response bodies, allowing unauthorized access to API services.
Risks
An attacker could use exposed API keys to access protected services, consume API quotas, exfiltrate data, or incur financial charges on the victim's account.
Remediation
Store API keys in environment variables or secure vaults, never in code. Implement key rotation policies. Use short-lived tokens instead of long-lived keys. Monitor for key exposure using automated scanning tools. Restrict key permissions to minimum required scope.