Pro Feature
Secret Leak Scanner
GitHub reported over 100 million secrets leaked in public repositories in a single year — and their automated scanners find new ones within seconds of each commit. Bots scrape public code playgrounds constantly. If an API key ends up on a web page, someone will find it — the question is whether you find it first.
What Secrets Does the Leak Scanner Detect?
🔑
API Keys
AWS keys (the ones starting with AKIA), Stripe live keys, Google API keys, Slack tokens, SendGrid, Twilio — 30+ provider patterns. One leaked AWS key can spin up $50,000 in EC2 instances before you wake up.
🔐
Private Keys
RSA, SSH, PGP private keys exposed in page source or inline scripts. We see this more than you'd expect — especially on misconfigured internal dashboards.
🪙
Credentials & Connection Strings
Database URIs with embedded passwords, OAuth client secrets, webhook signing keys. The kind of stuff that should be in a .env file but somehow ended up in the HTML.
How Does the Secret Leak Scanner Work?
1
Page loads, scanner runs. When you visit any page, PhishClean reads the page source, inline scripts, and visible text. This happens automatically — you don't need to trigger anything.
2
30+ patterns checked. We match against known secret formats: AWS keys (AKIA...), Stripe keys (sk_live_...), GitHub tokens (ghp_...), database URIs, private key headers, and more. Test/example keys are filtered out to avoid noise.
3
You get a clear alert. If something matches, you see a warning with the secret type and where it was found on the page. From there you can dismiss it, whitelist the domain, or investigate.
4
Nothing leaves your browser. The entire scan runs locally. We don't see the secrets, the page content, or even the URL you're visiting.
Where We See Leaks Happening
GitHub reported over 100 million secrets leaked in public repositories in a single year. But repos aren't the only place secrets show up. Here's what we built this feature to catch:
- A developer pastes a live Stripe key into a Stack Overflow answer while debugging. Someone copies the code example — and the key — into their own project. Now it's on two sites.
- A React app bundles
process.env.API_KEY into the client-side JavaScript because REACT_APP_ prefixed variables are public by default in Create React App. Every visitor can read it in the source.
- An internal admin dashboard displays raw database credentials without masking. It's behind a login, but one phishing attack or hidden iframe later, those credentials are exposed.
- Formjacking scripts sometimes exfiltrate not just card numbers but also any secrets found in the page DOM. A leaked API key on a compromised page gives the attacker two things to work with instead of one.
For a deeper look at how leaks happen and what to do about them, see our full guide on API key leaks.
What We Don't Scan
Honesty matters. PhishClean is a browser extension, so there are limits to what it can do:
- We can't scan server-side code, private repositories, or files on your local machine — those need tools like
gitleaks or detect-secrets
- We won't catch secrets in HTTP headers or network responses that don't appear in page content (our auth header monitoring covers some of this)
- Obfuscated or encoded secrets that don't match known patterns will slip through
Think of the secret leak scanner as a safety net for your browsing — it catches what other tools miss because it operates at the browser level, on every page you visit.
Supported Secret Types
- AWS Access Keys & Secret Keys
- Stripe Secret & Publishable Keys
- GitHub Personal Access Tokens
- Slack Bot & User Tokens
- Google API Keys & OAuth Secrets
- SendGrid API Keys
- Twilio Account SID & Auth Tokens
- Database Connection Strings (PostgreSQL, MongoDB, MySQL)
- RSA / SSH / PGP Private Keys
- Generic Bearer Tokens & JWTs
Related Protection
Catch Leaked Secrets Before Attackers Do
PhishClean scans every page for exposed API keys and credentials — locally, in real time. 3-day free trial, no credit card required.
Install PhishClean