Cy
CymeroMy Vibe SaaSProtected
Search findings, deploys, users...K
Back to findings
highLive in productionBundle probe86% confidence
OpenAI key found in browser bundle
A private-looking model provider key appears in the deployed JavaScript bundle.
Why this matters
Users can extract the key from the browser and use it outside your app.
Evidence
.env.production:4
production evidence
1 NEXT_PUBLIC_OPENAI_API_KEY matched a private key pattern. 2 The variable name is browser-exposed by Next.js convention. 3 A redacted fingerprint was detected in _next/static chunks.
Suggested fix
Move provider keys to server-only environment variables and proxy model calls through authenticated API routes.
Paste into Cursor
Remove NEXT_PUBLIC_OPENAI_API_KEY from client code. Store OPENAI_API_KEY server-side only and update all model calls to go through authenticated server routes.