How to spot launch-blocking secrets before users do
A founder-friendly pass over env files, client bundles, debug flags, and access controls.
4 min readLook for secrets where frontends can leak them
The fastest security win before launch is checking whether private tokens, debug credentials, or provider keys are reachable from the client bundle.
Environment variables should be split by intent. Public variables can be visible to the browser; private variables should stay server-side.
- Search for API keys, bearer tokens, private URLs, and test credentials.
- Check client-side config and localStorage usage.
- Keep `.env.example` useful without including real secrets.
Treat auth as part of the demo
A launch demo does not need enterprise auth, but it does need a clear boundary between public pages and private workspace actions.
If project creation, scans, exports, or admin actions can happen without a session, judges and users will notice.
Prefer visible limits
Rate limits, file limits, crawl limits, and archive extraction limits are product features for audit tools. They show that the system expects untrusted input.
Documenting these limits also makes the product feel more ready for marketplace review.
