API Key Leak Scanner
BeginnerHardcoded secrets in source code are one of the most common security mistakes. Find API keys, passwords, and tokens hiding in code, then learn how to properly manage secrets.
Progress:
1
Find Hardcoded Secrets2
Spot the Leaked .env3
Secure the Secrets1
Find Hardcoded Secrets
Click each line that contains a hardcoded secret. Found: 0/3
payments.py
1import requests
2import json
3from datetime import datetime
4
5# Configuration
6BASE_URL = "https://api.stripe.com/v1"
7API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
8TIMEOUT = 30
9
10def get_customers():
11 """Fetch all customers from Stripe"""
12 headers = {"Authorization": f"Bearer {API_KEY}"}
13 response = requests.get(f"{BASE_URL}/customers", headers=headers)
14 return response.json()
15
16def create_payment(amount, currency="usd"):
17 # TODO: refactor this endpoint
18 # password: admin123 (for staging DB)
19 payload = {"amount": amount, "currency": currency}
20 response = requests.post(f"{BASE_URL}/charges", json=payload)
21 return response.json()
22
23def verify_webhook(event_id):
24 """Verify a Stripe webhook event"""
25 url = f"https://api.stripe.com/v1/events/{event_id}?token=whsec_MbFJq5RGVnRlE4Trq3M7Pv3s"
26 response = requests.get(url)
27 return response.status_code == 200
28
29if __name__ == "__main__":
30 customers = get_customers()
31 print(f"Found {len(customers)} customers")